Permalink
Browse files

CAB block input buffer is one byte too small for maximal Quantum block

  • Loading branch information...
kyz committed Oct 17, 2018
1 parent 8759da8 commit 40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2
Showing with 18 additions and 2 deletions.
  1. +8 −0 libmspack/ChangeLog
  2. +10 −2 libmspack/mspack/cab.h
View
@@ -1,3 +1,11 @@
2018-10-17 Stuart Caie <kyzer@cabextract.org.uk>
* cab.h: Make the CAB block input buffer one byte larger, to allow
a maximum-allowed-size input block and the special extra byte added
after the block by cabd_sys_read_block to help Quantum alignment.
Thanks to Henri Salo for reporting this.
2018-10-17 Stuart Caie <kyzer@cabextract.org.uk>
* chmd_read_headers(): again reject files with blank filenames, this
View
@@ -1,5 +1,5 @@
/* This file is part of libmspack.
* (C) 2003-2004 Stuart Caie.
* (C) 2003-2018 Stuart Caie.
*
* libmspack is free software; you can redistribute it and/or modify it under
* the terms of the GNU Lesser General Public License (LGPL) version 2.1
@@ -70,6 +70,14 @@
#define CAB_BLOCKMAX (32768)
#define CAB_INPUTMAX (CAB_BLOCKMAX+6144)
/* input buffer needs to be CAB_INPUTMAX + 1 byte to allow for max-sized block
* plus 1 trailer byte added by cabd_sys_read_block() for Quantum alignment.
*
* When MSCABD_PARAM_SALVAGE is set, block size is not checked so can be
* up to 65535 bytes, so max input buffer size needed is 65535 + 1
*/
#define CAB_INPUTBUF (65535 + 1)
/* There are no more than 65535 data blocks per folder, so a folder cannot
* be more than 32768*65535 bytes in length. As files cannot span more than
* one folder, this is also their max offset, length and offset+length limit.
@@ -101,7 +109,7 @@ struct mscabd_decompress_state {
struct mspack_file *infh; /* input file handle */
struct mspack_file *outfh; /* output file handle */
unsigned char *i_ptr, *i_end; /* input data consumed, end */
unsigned char input[CAB_INPUTMAX]; /* one input block of data */
unsigned char input[CAB_INPUTBUF]; /* one input block of data */
};
struct mscab_decompressor_p {

1 comment on commit 40ef1b4

@carnil

This comment has been minimized.

carnil commented on 40ef1b4 Oct 23, 2018

Issue fixed by this commit got CVE-2018-18584 assigned.

Please sign in to comment.