Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:Update
lhasa.2320
lhasa-0.2.0-integer_underflow.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File lhasa-0.2.0-integer_underflow.patch of Package lhasa.2320
From 6fcdb8f1f538b9d63e63a5fa199c5514a15d4564 Mon Sep 17 00:00:00 2001 From: Simon Howard <fraggle@soulsphere.org> Date: Thu, 17 Mar 2016 00:40:19 -0400 Subject: [PATCH] Fix integer underflow vulnerability in L3 decode. Marcin 'Icewall' Noga of Cisco TALOS discovered that the level 3 header decoding routines were vulnerable to an integer underflow, if the 32-bit header length was less than the base level 3 header length. This could lead to an exploitable heap corruption condition. Thanks go to Marcin Noga and Regina Wilson of Cisco TALOS for reporting this vulnerability. --- lib/lha_file_header.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/lha_file_header.c b/lib/lha_file_header.c index 2889eec..b06be91 100644 --- a/lib/lha_file_header.c +++ b/lib/lha_file_header.c @@ -351,6 +351,10 @@ static uint8_t *extend_raw_data(LHAFileHeader **header, size_t new_raw_len; uint8_t *result; + if (nbytes > LEVEL_3_MAX_HEADER_LEN) { + return NULL; + } + // Reallocate the header and raw_data area to be larger. new_raw_len = RAW_DATA_LEN(header) + nbytes; @@ -797,7 +801,8 @@ static int decode_level3_header(LHAFileHeader **header, LHAInputStream *stream) header_len = lha_decode_uint32(&RAW_DATA(header, 24)); - if (header_len > LEVEL_3_MAX_HEADER_LEN) { + if (header_len > LEVEL_3_MAX_HEADER_LEN + || header_len < RAW_DATA_LEN(header)) { return 0; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor