Skip to content

sd2.c: 2 buffer overruns #93

Closed
Closed
@MegaManSec

Description

@MegaManSec

Hi,

In sd2.c, 2 different buffer overruns may occur due to incorrent checking.

1:

  1. cond_at_most: Checking rsrc.rsrc_len > 12292 implies that rsrc.rsrc_len has the value which may be up to 12292 on the false branch.
    442 if (rsrc.rsrc_len > SIGNED_SIZEOF (psf->header))
  2. alias: Assigning: rsrc.rsrc_data = psf->header. rsrc.rsrc_data now points to byte 0 of psf->header (which consists of 12292 bytes).
    448 rsrc.rsrc_data = psf->header ;
  3. cond_at_most: Checking rsrc.map_offset > rsrc.rsrc_len implies that rsrc.map_offset has the value which may be up to 12292 on the false branch.
    481 if (rsrc.map_offset > rsrc.rsrc_len)
  4. cond_at_most: Checking rsrc.map_offset + 28 >= rsrc.rsrc_len implies that rsrc.map_offset has the value which may be up to 12263 on the false branch.
    505 if (rsrc.map_offset + 28 >= rsrc.rsrc_len)

517

  1. assignment: Assigning: rsrc.type_offset = rsrc.map_offset + 30. The value of rsrc.type_offset may now be up to 12293.
    518 rsrc.type_offset = rsrc.map_offset + 30 ;
  2. overrun-buffer-arg: Overrunning buffer pointed to by rsrc.rsrc_data of 12292 bytes by passing it to a function which accesses it at byte offset 12293 using argument rsrc.type_offset + k * 8 (which evaluates to 12293). [show details]
    536 { marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ;

2:

Assigning: rsrc.rsrc_data = calloc(1UL, rsrc.rsrc_len).
443 { rsrc.rsrc_data = calloc (1, rsrc.rsrc_len) ;

  1. symbolic_assign: Tracking psf->headend since rsrc.rsrc_len is tracked with rsrc.rsrc_data.
    456 psf->headindex = psf->headend = rsrc.rsrc_len ;

Overrunning dynamic array rsrc.rsrc_data by passing it to a function that accesses it at byte rsrc.map_offset + 28. [show details]
520 rsrc.type_count = read_rsrc_short (&rsrc, rsrc.map_offset + 28) + 1 ;
and:
Overrunning dynamic array rsrc.rsrc_data by passing it to a function that accesses it at byte rsrc.map_offset + 26. [show details]
511 rsrc.string_offset = rsrc.map_offset + read_rsrc_short (&rsrc, rsrc.map_offset + 26) ;

Thanks,

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions