[Pkg-libburnia-devel] Bug#872590: libisofs6: integer overflow in susp_iter_next()
Jakub Wilk
jwilk at jwilk.net
Fri Aug 18 21:29:01 UTC 2017
Package: libisofs6
Version: 1.4.6-1
The susp_iter_next() function does the following:
nblocks = DIV_UP(iter->ce_off + iter->ce_len, BLOCK_SIZE);
iter->buffer = realloc(iter->buffer, nblocks * BLOCK_SIZE);
for (block = 0; block < nblocks; ++block) {
/* ... */
}
iter->base = iter->buffer + iter->ce_off;
(I omitted the boring parts.)
An overflow can happen in the computation of nblocks.
For example, in the attached ISO file:
- iter->ce_off is 4294901808;
- iter->ce_len is 65328;
- nblocks is computed as 0;
- iter->base is set to a bogus pointer.
Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/
--
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: intoverflow.iso.gz
Type: application/gzip
Size: 144 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-libburnia-devel/attachments/20170818/f6bd023e/attachment.bin>
More information about the Pkg-libburnia-devel
mailing list