Closed
Description
Hi,
In sd2.c, 2 different buffer overruns may occur due to incorrent checking.
1:
- cond_at_most: Checking rsrc.rsrc_len > 12292 implies that rsrc.rsrc_len has the value which may be up to 12292 on the false branch.
442 if (rsrc.rsrc_len > SIGNED_SIZEOF (psf->header)) - alias: Assigning: rsrc.rsrc_data = psf->header. rsrc.rsrc_data now points to byte 0 of psf->header (which consists of 12292 bytes).
448 rsrc.rsrc_data = psf->header ; - cond_at_most: Checking rsrc.map_offset > rsrc.rsrc_len implies that rsrc.map_offset has the value which may be up to 12292 on the false branch.
481 if (rsrc.map_offset > rsrc.rsrc_len) - cond_at_most: Checking rsrc.map_offset + 28 >= rsrc.rsrc_len implies that rsrc.map_offset has the value which may be up to 12263 on the false branch.
505 if (rsrc.map_offset + 28 >= rsrc.rsrc_len)
517
- assignment: Assigning: rsrc.type_offset = rsrc.map_offset + 30. The value of rsrc.type_offset may now be up to 12293.
518 rsrc.type_offset = rsrc.map_offset + 30 ; - overrun-buffer-arg: Overrunning buffer pointed to by rsrc.rsrc_data of 12292 bytes by passing it to a function which accesses it at byte offset 12293 using argument rsrc.type_offset + k * 8 (which evaluates to 12293). [show details]
536 { marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ;
2:
Assigning: rsrc.rsrc_data = calloc(1UL, rsrc.rsrc_len).
443 { rsrc.rsrc_data = calloc (1, rsrc.rsrc_len) ;
- symbolic_assign: Tracking psf->headend since rsrc.rsrc_len is tracked with rsrc.rsrc_data.
456 psf->headindex = psf->headend = rsrc.rsrc_len ;
Overrunning dynamic array rsrc.rsrc_data by passing it to a function that accesses it at byte rsrc.map_offset + 28. [show details]
520 rsrc.type_count = read_rsrc_short (&rsrc, rsrc.map_offset + 28) + 1 ;
and:
Overrunning dynamic array rsrc.rsrc_data by passing it to a function that accesses it at byte rsrc.map_offset + 26. [show details]
511 rsrc.string_offset = rsrc.map_offset + read_rsrc_short (&rsrc, rsrc.map_offset + 26) ;
Thanks,
Metadata
Metadata
Assignees
Labels
No labels