Public bug reported:
integer overflow leading to heap corruption in dmg2img.c
```
//+1 overflows if XMLLength = 0xffffffffffffffff
// then plist is a valid pointer to an allocation of length 0 (it can
be freed, but not written to)
220 plist = (char *)malloc(kolyblk.XMLLength + 1);
221
//plist is not zero, therfore no exit
222 if (!plist)
223 mem_overflow();
224
225 fseeko(FIN, kolyblk.XMLOffset, SEEK_SET);
//fails to read enough, but return code is not checked
226 fread(plist, kolyblk.XMLLength, 1, FIN);
//sets the byte at plist-1 to zero, this corrupts malloc meta data
227 plist[kolyblk.XMLLength] = '\0';
228
229 if (debug && verbose >= 3) {
230 fprintf(FDBG, "%s\n", plist);
231 }
232 char *_blkx_begin = strstr(plist, blkx_begin);
233 blkx_size = strstr(_blkx_begin, list_end) - _blkx_begin;
//because the meta data was corrupted in line 227, this segfaults.
234 blkx = (char *)malloc(blkx_size + 1);
```
Steps to reproduce:
```
apt-get source dmg2img
cd dmg2img-1.6.7/
make
./dmg2img ../crash
```
** Affects: dmg2img (Ubuntu)
Importance: Undecided
Status: New
** Attachment added: "dmg2img_heap_corruption.tar"
https://bugs.launchpad.net/bugs/1854223/+attachment/5308300/+files/dmg2img_heap_corruption.tar
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1854223
Title:
Integer overflow causes heap corruption
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dmg2img/+bug/1854223/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
