1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
|
From 17038206fcc384dcee6dd9e3a75f08fd3ddc6a38 Mon Sep 17 00:00:00 2001
From: Stuart Caie <kyzer@4u.net>
Date: Sun, 6 Aug 2017 10:11:15 +0100
Subject: [PATCH] Fix mis-handling of sys->read() errors in cabd_read_string()
---
ChangeLog | 8 ++++++++
mspack/cabd.c | 7 +++++--
2 files changed, 13 insertions(+), 2 deletions(-)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2017-08-05 Stuart Caie <kyzer@cabextract.org.uk>
+
+ * cabd_read_string(): add missing error check on result of read().
+ If an mspack_system implementation returns an error, it's interpreted
+ as a huge positive integer, which leads to reading past the end of the
+ stack-based buffer. Thanks to Sebastian Andrzej Siewior for explaining
+ the problem. This issue was raised by ClamAV as CVE-2017-11423
+
2015-05-10 Stuart Caie <kyzer@4u.net>
* cabd_read_string(): correct rejection of empty strings. Thanks to
--- a/mspack/cabd.c
+++ b/mspack/cabd.c
@@ -521,10 +521,13 @@ static char *cabd_read_string(struct msp
{
off_t base = sys->tell(fh);
char buf[256], *str;
- unsigned int len, i, ok;
+ int len, i, ok;
/* read up to 256 bytes */
- len = sys->read(fh, &buf[0], 256);
+ if ((len = sys->read(fh, &buf[0], 256)) <= 0) {
+ *error = MSPACK_ERR_READ;
+ return NULL;
+ }
/* search for a null terminator in the buffer */
for (i = 0, ok = 0; i < len; i++) if (!buf[i]) { ok = 1; break; }
|