Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix integer overflow in cheatsImportGSACodeFile length check.
Although a length check is being performed on the imported GSA Codes file, `len` is both a signed int and attacker controlled. With a specially crafted GSA Codes file, an attacker could specify a value for `len` that overflows the `int` type, rolling over into a negative number. By doing so, the attacker can bypass the conditional mentioned above. The `fseek` length parameter is of type `size_t` which is an unsigned int, this will result in `len` being interpreted as a large unsigned int, allowing for a stack based buffed overflow in the desc char array. By making `len` an unsigned integer, it will prevent the overflow. It ensures that the bounds check works as intended.
- Loading branch information
6a8a9e6
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a clarification, this isn't actually related to an overflow of the integer.
It is simply due to the attackers ability to abuse the type interpretations of
len
in both the signed conditional and unsignedcount
parameter in fread.I had overflows on the brain and clearly it leaked out 😄. The PR has a better description:
#593