If the offset (base) is beyond the end of the file (statbuf.st_size),
the computations will lead to an integer overflow. As it doesn't make
sense in the first place, check for this condition and fail
immediately.
This bug was discovered by Lionel Debroux using the AFL fuzzer and
AddressSanitizer.
Signed-off-by: Jean Delvare <jdelv...@suse.de>
Fixes: bd78a5dfd470 ("dmidecode: Don't allocate more memory than needed")
---
util.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- dmidecode.orig/util.c 2018-08-09 09:34:24.535059494 +0200
+++ dmidecode/util.c 2018-09-11 11:23:52.790702462 +0200
@@ -117,7 +117,14 @@ void *read_file(off_t base, size_t *max_
*/
if (fstat(fd, &statbuf) == 0)
{
- if (base + (off_t)*max_len > statbuf.st_size)
+ if (base >= statbuf.st_size)
+ {
+ fprintf(stderr, "%s: Can't read data beyond EOF\n",
+ filename);
+ p = NULL;
+ goto out;
+ }
+ if (*max_len > (size_t)statbuf.st_size - base)
*max_len = statbuf.st_size - base;
}
--
Jean Delvare
SUSE L3 Support
_______________________________________________
https://lists.nongnu.org/mailman/listinfo/dmidecode-devel
