[libbluray-devel] check for integer overflow when parsing file entry
Petri Hintukainen
git at videolan.org
Thu May 21 11:23:31 CEST 2015
libudfread | branch: master | Petri Hintukainen <phintuka at gmail.com> | Thu May 21 12:14:07 2015 +0300| [56f9e74e1db0f16eac56f06b2b26e3a7b2335eb4] | committer: Petri Hintukainen
check for integer overflow when parsing file entry
> http://git.videolan.org/gitweb.cgi/libudfread.git/?a=commit;h=56f9e74e1db0f16eac56f06b2b26e3a7b2335eb4
---
src/ecma167.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/ecma167.c b/src/ecma167.c
index ff996a9..f7ab66c 100644
--- a/src/ecma167.c
+++ b/src/ecma167.c
@@ -304,6 +304,12 @@ struct file_entry *decode_file_entry(const uint8_t *p, size_t size, uint16_t par
l_ea = _get_u32(p + 168);
l_ad = _get_u32(p + 172);
+ /* check for integer overflow */
+ if ((uint64_t)l_ea + (uint64_t)l_ad + (uint64_t)176 >= (uint64_t)1<<32) {
+ ecma_error("invalid file entry\n");
+ return NULL;
+ }
+
return _decode_file_entry(p, size, partition, l_ad, 176 + l_ea);
}
@@ -315,6 +321,12 @@ struct file_entry *decode_ext_file_entry(const uint8_t *p, size_t size, uint16_t
l_ea = _get_u32(p + 208);
l_ad = _get_u32(p + 212);
+ /* check for integer overflow */
+ if ((uint64_t)l_ea + (uint64_t)l_ad + (uint64_t)216 >= (uint64_t)1<<32) {
+ ecma_error("invalid file entry\n");
+ return NULL;
+ }
+
return _decode_file_entry(p, size, partition, l_ad, 216 + l_ea);
}
More information about the libbluray-devel
mailing list