From: Hilko Bengen Date: Tue, 27 Mar 2018 18:54:14 +0200 Subject: Fix CVE-2018-8754 (missing bounds checks) Cherry-picked from 9d2cc3ca0a1612a6b271abcacffc2e3eea42925e --- libevt/libevt_record_values.c | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/libevt/libevt_record_values.c b/libevt/libevt_record_values.c index 20dbfe9..36d91a7 100644 --- a/libevt/libevt_record_values.c +++ b/libevt/libevt_record_values.c @@ -1245,6 +1245,17 @@ int libevt_record_values_read_event( } if( user_sid_size != 0 ) { + if( user_sid_size > ( ( record_data_size - 4 ) - user_sid_offset ) ) + { + libcerror_error_set( + error, + LIBCERROR_ERROR_DOMAIN_RUNTIME, + LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, + "%s: user SID data size value out of bounds.", + function ); + + goto on_error; + } if( libfvalue_value_type_initialize( &( record_values->user_security_identifier ), LIBFVALUE_VALUE_TYPE_NT_SECURITY_IDENTIFIER, @@ -1306,6 +1317,17 @@ int libevt_record_values_read_event( } if( strings_size != 0 ) { + if( strings_size > ( ( record_data_size - 4 ) - strings_offset ) ) + { + libcerror_error_set( + error, + LIBCERROR_ERROR_DOMAIN_RUNTIME, + LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, + "%s: strings size value out of bounds.", + function ); + + goto on_error; + } #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { @@ -1373,6 +1395,17 @@ int libevt_record_values_read_event( } if( data_size != 0 ) { + if( data_size > ( ( record_data_size - 4 ) - record_data_offset ) ) + { + libcerror_error_set( + error, + LIBCERROR_ERROR_DOMAIN_RUNTIME, + LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, + "%s: data size value out of bounds.", + function ); + + goto on_error; + } #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { @@ -1380,7 +1413,7 @@ int libevt_record_values_read_event( "%s: data:\n", function ); libcnotify_print_data( - &( record_data[ data_offset ] ), + &( record_data[ record_data_offset ] ), (size_t) data_size, LIBCNOTIFY_PRINT_DATA_FLAG_GROUP_DATA ); }