1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
From 17038206fcc384dcee6dd9e3a75f08fd3ddc6a38 Mon Sep 17 00:00:00 2001
From: Stuart Caie <kyzer@4u.net>
Date: Sun, 6 Aug 2017 10:11:15 +0100
Subject: [PATCH] Fix mis-handling of sys->read() errors in cabd_read_string()
---
ChangeLog | 8 ++++++++
mspack/cabd.c | 7 +++++--
2 files changed, 13 insertions(+), 2 deletions(-)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2017-08-05 Stuart Caie <kyzer@cabextract.org.uk>
+
+ * cabd_read_string(): add missing error check on result of read().
+ If an mspack_system implementation returns an error, it's interpreted
+ as a huge positive integer, which leads to reading past the end of the
+ stack-based buffer. Thanks to Sebastian Andrzej Siewior for explaining
+ the problem. This issue was raised by ClamAV as CVE-2017-11423
+
2015-05-10 Stuart Caie <kyzer@4u.net>
* cabd_read_string(): correct rejection of empty strings. Thanks to
--- a/mspack/cabd.c
+++ b/mspack/cabd.c
@@ -521,10 +521,13 @@ static char *cabd_read_string(struct msp
{
off_t base = sys->tell(fh);
char buf[256], *str;
- unsigned int len, i, ok;
+ int len, i, ok;
/* read up to 256 bytes */
- len = sys->read(fh, &buf[0], 256);
+ if ((len = sys->read(fh, &buf[0], 256)) <= 0) {
+ *error = MSPACK_ERR_READ;
+ return NULL;
+ }
/* search for a null terminator in the buffer */
for (i = 0, ok = 0; i < len; i++) if (!buf[i]) { ok = 1; break; }
|
