File lhasa-0.2.0-integer_underflow.patch of Package lhasa.2320

From 6fcdb8f1f538b9d63e63a5fa199c5514a15d4564 Mon Sep 17 00:00:00 2001
From: Simon Howard <fraggle@soulsphere.org>
Date: Thu, 17 Mar 2016 00:40:19 -0400
Subject: [PATCH] Fix integer underflow vulnerability in L3 decode.

Marcin 'Icewall' Noga of Cisco TALOS discovered that the level 3 header
decoding routines were vulnerable to an integer underflow, if the 32-bit
header length was less than the base level 3 header length. This could
lead to an exploitable heap corruption condition.

Thanks go to Marcin Noga and Regina Wilson of Cisco TALOS for reporting
this vulnerability.
---
 lib/lha_file_header.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/lha_file_header.c b/lib/lha_file_header.c
index 2889eec..b06be91 100644
--- a/lib/lha_file_header.c
+++ b/lib/lha_file_header.c
@@ -351,6 +351,10 @@ static uint8_t *extend_raw_data(LHAFileHeader **header,
 	size_t new_raw_len;
 	uint8_t *result;
 
+	if (nbytes > LEVEL_3_MAX_HEADER_LEN) {
+		return NULL;
+	}
+
 	// Reallocate the header and raw_data area to be larger.
 
 	new_raw_len = RAW_DATA_LEN(header) + nbytes;
@@ -797,7 +801,8 @@ static int decode_level3_header(LHAFileHeader **header, LHAInputStream *stream)
 
 	header_len = lha_decode_uint32(&RAW_DATA(header, 24));
 
-	if (header_len > LEVEL_3_MAX_HEADER_LEN) {
+	if (header_len > LEVEL_3_MAX_HEADER_LEN
+	 || header_len < RAW_DATA_LEN(header)) {
 		return 0;
 	}
openSUSE Build Service is sponsored by