[libbluray-devel] check for integer overflow when parsing file entry

Thu, 21 May 2015 02:23:57 -0700 

libudfread | branch: master | Petri Hintukainen <[email protected]> | Thu May 
21 12:14:07 2015 +0300| [56f9e74e1db0f16eac56f06b2b26e3a7b2335eb4] | committer: 
Petri Hintukainen

check for integer overflow when parsing file entry

> http://git.videolan.org/gitweb.cgi/libudfread.git/?a=commit;h=56f9e74e1db0f16eac56f06b2b26e3a7b2335eb4
---

 src/ecma167.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/ecma167.c b/src/ecma167.c
index ff996a9..f7ab66c 100644
--- a/src/ecma167.c
+++ b/src/ecma167.c
@@ -304,6 +304,12 @@ struct file_entry *decode_file_entry(const uint8_t *p, 
size_t size, uint16_t par
     l_ea = _get_u32(p + 168);
     l_ad = _get_u32(p + 172);
 
+    /* check for integer overflow */
+    if ((uint64_t)l_ea + (uint64_t)l_ad + (uint64_t)176 >= (uint64_t)1<<32) {
+        ecma_error("invalid file entry\n");
+        return NULL;
+    }
+
     return _decode_file_entry(p, size, partition, l_ad, 176 + l_ea);
 }
 
@@ -315,6 +321,12 @@ struct file_entry *decode_ext_file_entry(const uint8_t *p, 
size_t size, uint16_t
     l_ea = _get_u32(p + 208);
     l_ad = _get_u32(p + 212);
 
+    /* check for integer overflow */
+    if ((uint64_t)l_ea + (uint64_t)l_ad + (uint64_t)216 >= (uint64_t)1<<32) {
+        ecma_error("invalid file entry\n");
+        return NULL;
+    }
+
     return _decode_file_entry(p, size, partition, l_ad, 216 + l_ea);
 }
 

_______________________________________________
libbluray-devel mailing list
[email protected]
https://mailman.videolan.org/listinfo/libbluray-devel

Reply via email to