[libbdplus-devel] Fix possible OOB write
anonymous
git at videolan.org
Thu Mar 16 11:41:18 CET 2017
libbdplus | branch: master | anonymous <anonymous at anonymous.org> | Thu Mar 16 12:21:10 2017 +0200| [3474098c484722db5cacdbe0599159b88d669997] | committer: anonymous
Fix possible OOB write
> http://git.videolan.org/gitweb.cgi/libbdplus.git/?a=commit;h=3474098c484722db5cacdbe0599159b88d669997
---
src/libbdplus/bdsvm/diff.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/libbdplus/bdsvm/diff.c b/src/libbdplus/bdsvm/diff.c
index c33276a..d3713b4 100644
--- a/src/libbdplus/bdsvm/diff.c
+++ b/src/libbdplus/bdsvm/diff.c
@@ -95,6 +95,7 @@ int32_t diff_loadcore(uint8_t *addr, uint32_t vmsize, char *fname,
return -1;
}
if (size > vmsize) {
+ BD_DEBUG(DBG_BDPLUS,"[diff] Diff size larger than vmsize\n");
fclose(fd);
return -2; // Safety
}
@@ -114,6 +115,11 @@ int32_t diff_loadcore(uint8_t *addr, uint32_t vmsize, char *fname,
start = FETCH4((uint8_t*)&start);
length = FETCH4((uint8_t*)&length);
+ if ((uint64_t)start + length > (uint64_t)vmsize) {
+ BD_DEBUG(DBG_BDPLUS,"[diff] Diff skipping load (would exceed vmsize)\n");
+ fclose(fd);
+ return -2;
+ }
if (fread(&addr[ start ], length, 1, fd) != 1) goto fail;
} // currdiff
More information about the libbdplus-devel
mailing list