File pspp-0002-sys-file-reader-Fix-integer-overflows-in-parse_long_.patch of Package pspp.openSUSE_Leap_42.2_Update

From: Ben Pfaff <blp@cs.stanford.edu>
Date: Tue, 4 Jul 2017 12:58:55 -0400
Subject: [PATCH] sys-file-reader: Fix integer overflows in
 parse_long_string_missing_values().

Crafted system files caused integer overflow errors that in turn caused
aborts.  This fixes the problem.

CVE-2017-10791.
See also https://bugzilla.redhat.com/show_bug.cgi?id=1467004.
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866890.
See also https://security-tracker.debian.org/tracker/CVE-2017-10791.
Found by team OWL337, using the collAFL fuzzer.

diff --git a/src/data/sys-file-reader.c b/src/data/sys-file-reader.c
index 70a7411f..8ab130c0 100644
--- a/src/data/sys-file-reader.c
+++ b/src/data/sys-file-reader.c
@@ -2464,7 +2464,8 @@ parse_long_string_value_labels (struct sfm_reader *r,
       ofs += 4;
 
       /* Parse variable name, width, and number of labels. */
-      if (!check_overflow (r, record, ofs, var_name_len + 8))
+      if (!check_overflow (r, record, ofs, var_name_len)
+          || !check_overflow (r, record, ofs, var_name_len + 8))
         return;
       var_name = recode_string_pool ("UTF-8", dict_encoding,
                                      (const char *) record->data + ofs,
@@ -2582,7 +2583,8 @@ parse_long_string_missing_values (struct sfm_reader *r,
       ofs += 4;
 
       /* Parse variable name. */
-      if (!check_overflow (r, record, ofs, var_name_len + 1))
+      if (!check_overflow (r, record, ofs, var_name_len)
+          || !check_overflow (r, record, ofs, var_name_len + 1))
         return;
       var_name = recode_string_pool ("UTF-8", dict_encoding,
                                      (const char *) record->data + ofs,