Overview

File fix-unchecked-lenght-cbef76.patch of Package capstone.42054

From 423bc64c7dbd06e5d3c6aeb3d120fd428e704c41 Mon Sep 17 00:00:00 2001
From: Rot127 <45763064+Rot127@users.noreply.github.com>
Date: Wed, 17 Dec 2025 14:01:34 +0000
Subject: [PATCH] Merge commit from fork

The overflow was reported by Github user Finder16

(cherry picked from commit cbef767ab33b82166d263895f24084b75b316df3)
References: bsc#1255309 (CVE-2025-67873)
[DF: Remove the tests related hunks of the commit;]
Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
---
 cs.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/cs.c b/cs.c
index 98f30f76..495dbeb1 100644
--- a/cs.c
+++ b/cs.c
@@ -916,10 +916,13 @@ size_t CAPSTONE_API cs_disasm(csh ud, const uint8_t *buffer, size_t size, uint64
 				skipdata_bytes = handle->skipdata_size;
 
 			// we have to skip some amount of data, depending on arch & mode
-			insn_cache->id = 0;	// invalid ID for this "data" instruction
+			// invalid ID for this "data" instruction
+			insn_cache->id = 0;
 			insn_cache->address = offset;
-			insn_cache->size = (uint16_t)skipdata_bytes;
-			memcpy(insn_cache->bytes, buffer, skipdata_bytes);
+			insn_cache->size = (uint16_t)MIN(
+				skipdata_bytes, sizeof(insn_cache->bytes));
+			memcpy(insn_cache->bytes, buffer,
+			       MIN(skipdata_bytes, sizeof(insn_cache->bytes)));
 #ifdef CAPSTONE_DIET
 			insn_cache->mnemonic[0] = '\0';
 			insn_cache->op_str[0] = '\0';
@@ -1128,12 +1131,13 @@ bool CAPSTONE_API cs_disasm_iter(csh ud, const uint8_t **code, size_t *size,
 		// we have to skip some amount of data, depending on arch & mode
 		insn->id = 0;	// invalid ID for this "data" instruction
 		insn->address = *address;
-		insn->size = (uint16_t)skipdata_bytes;
+		insn->size = (uint16_t)MIN(skipdata_bytes, sizeof(insn->bytes));
+		memcpy(insn->bytes, *code,
+		       MIN(skipdata_bytes, sizeof(insn->bytes)));
 #ifdef CAPSTONE_DIET
 		insn->mnemonic[0] = '\0';
 		insn->op_str[0] = '\0';
 #else
-		memcpy(insn->bytes, *code, skipdata_bytes);
 		strncpy(insn->mnemonic, handle->skipdata_setup.mnemonic,
 				sizeof(insn->mnemonic) - 1);
 		skipdata_opstr(insn->op_str, *code, skipdata_bytes);
-- 
2.52.0
openSUSE Build Service is sponsored by
Places