commit: 3763b1135eefc63fa19c084602241767670a4dd0
Author: Fabian Groffen <grobian <AT> gentoo <DOT> org>
AuthorDate: Mon Nov 18 20:07:08 2019 +0000
Commit: Fabian Groffen <grobian <AT> gentoo <DOT> org>
CommitDate: Mon Nov 18 20:07:08 2019 +0000
URL: https://gitweb.gentoo.org/proj/portage-utils.git/commit/?id=3763b113
libq/xpak: perform sanity checks on offset and len
As shown by Agostino Sarubbo, the input can be crap, resulting in very
bad scenarios.
Signed-off-by: Fabian Groffen <grobian <AT> gentoo.org>
libq/xpak.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/libq/xpak.c b/libq/xpak.c
index 82667b0..71dc17e 100644
--- a/libq/xpak.c
+++ b/libq/xpak.c
@@ -77,6 +77,14 @@ static void _xpak_walk_index(
p += 4;
data_len = READ_BE_INT32((unsigned char*)p);
p += 4;
+
+ /* check offset and len individually to deal with overflow */
+ if (data_offset > x->index_len ||
+ data_len > x->index_len ||
+ data_offset + data_len > x->index_len)
+ err("Data for '%s' is out of bounds: offset=%u,
len=%u\n",
+ pathname, data_len, data_offset);
+
(*func)(x->ctx, pathname, pathname_len,
data_offset, data_len, x->data);
}
