[Pkg-libburnia-devel] Bug#872590: libisofs6: integer overflow in susp_iter_next()

Thomas Schmitt scdbackup at gmx.net
Sat Aug 19 16:09:40 UTC 2017


the immediate trigger of the bug is fixed by commit
  "Preventing use of zero sized SUSP CE entry which causes SIGSEGV.
   Debian bug 872590. Thanks Jakub Wilk and American Fuzzy Lop."

Further i installed a size curb for loading CE areas. For that i now only
read the amount of blocks which is necessary and refuse on more than 1 MiB.
  "Avoid to read blocks from start of CE area which do not belong to the
   given file"

A test for proper block addresses of CE areas was added:
  "Refuse to read CE data blocks from after the end of ISO filesystem"

If the second or third change are bad, then the regression consequences are
severe. So i compared ISO reading of xorriso-1.4.6 with the one of development
version 1.4.7. The results got cleaned of systematic differences by a few
sed expressions:

  xorriso=... path to xorriso 1.4.6 or 1.4.7 ...
  run=... "old" or "new" ...

  for i in *.iso
    valgrind "$xorriso" \
      -report_about note -for_backup -hfsplus on \
      -indev "$i" \
      -find / -exec lsdl -- \
      -find / -has_any_xattr -exec get_any_xattr -- \
      -find / -exec getfacl -- \
  done \
  | sed \
     -e 's/^==[0-9][0-9]*=//' \
     -e 's/xorriso 1.4.[67]/xorriso 1.4.X/g' \
     -e 's/^= Command:.*$//' \
     -e 's/^=   total heap usage:.*$//' \

Comparison of both log files yields only insignifcant differences and the
improvements which were achieved by fixing the recent bugs found by AFL.
The log file size with my ISO 9660 collection is 90 MB. So there is a decent
statistical base.

Have a nice day :)


More information about the Pkg-libburnia-devel mailing list