[libbdplus-devel] Fix possible OOB write

[anonymous]

libbdplus | branch: master | anonymous <anonymous at anonymous.org> | Thu Mar 16 12:21:10 2017 +0200| [3474098c484722db5cacdbe0599159b88d669997] | committer: anonymous

Fix possible OOB write

> http://git.videolan.org/gitweb.cgi/libbdplus.git/?a=commit;h=3474098c484722db5cacdbe0599159b88d669997
---

 src/libbdplus/bdsvm/diff.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/libbdplus/bdsvm/diff.c b/src/libbdplus/bdsvm/diff.c
index c33276a..d3713b4 100644
--- a/src/libbdplus/bdsvm/diff.c
+++ b/src/libbdplus/bdsvm/diff.c
@@ -95,6 +95,7 @@ int32_t diff_loadcore(uint8_t *addr, uint32_t vmsize, char *fname,
         return -1;
     }
     if (size > vmsize) {
+        BD_DEBUG(DBG_BDPLUS,"[diff] Diff size larger than vmsize\n");
         fclose(fd);
         return -2; // Safety
     }
@@ -114,6 +115,11 @@ int32_t diff_loadcore(uint8_t *addr, uint32_t vmsize, char *fname,
             start  = FETCH4((uint8_t*)&start);
             length = FETCH4((uint8_t*)&length);
 
+            if ((uint64_t)start + length > (uint64_t)vmsize) {
+              BD_DEBUG(DBG_BDPLUS,"[diff] Diff skipping load (would exceed vmsize)\n");
+              fclose(fd);
+              return -2;
+            }
             if (fread(&addr[ start ], length, 1, fd) != 1) goto fail;
         } // currdiff