[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [libextractor] branch master updated: detect integer overfl
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [libextractor] branch master updated: detect integer overflow in DVI extractor |
|
Date: |
Tue, 17 Oct 2017 08:51:30 +0200 |
This is an automated email from the git hooks/post-receive script.
grothoff pushed a commit to branch master
in repository libextractor.
The following commit(s) were added to refs/heads/master by this push:
new d4d488b0 detect integer overflow in DVI extractor
d4d488b0 is described below
commit d4d488b0e5ab13dda241d688d87a07816368f117
Author: Christian Grothoff <address@hidden>
AuthorDate: Tue Oct 17 08:50:26 2017 +0200
detect integer overflow in DVI extractor
---
ChangeLog | 4 ++++
src/plugins/dvi_extractor.c | 20 +++++++++++++-------
2 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index efad82cb..6dc59981 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Tue Oct 17 08:49:31 CEST 2017
+ Fix integer overflows in DVI extractor found by Leon Zhao, which
+ could cause SEGVs (read-only). -CG
+
Sun Oct 15 19:36:41 CEST 2017
Fix potential file descriptor leak (on error handling path).
Fix potential assign-after-free (on IPC error handling path).
diff --git a/src/plugins/dvi_extractor.c b/src/plugins/dvi_extractor.c
index 1f42497d..268b48c5 100644
--- a/src/plugins/dvi_extractor.c
+++ b/src/plugins/dvi_extractor.c
@@ -1,6 +1,6 @@
/*
This file is part of libextractor.
- Copyright (C) 2002, 2003, 2004, 2012 Vidyut Samanta and Christian Grothoff
+ Copyright (C) 2002, 2003, 2004, 2012, 2017 Vidyut Samanta and Christian
Grothoff
libextractor is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published
@@ -175,7 +175,8 @@ EXTRACTOR_dvi_extract_method (struct
EXTRACTOR_ExtractContext *ec)
if (40 >= (iret = ec->read (ec->cls, &buf, 1024)))
return;
data = buf;
- if ((data[0] != 247) || (data[1] != 2))
+ if ( (data[0] != 247) ||
+ (data[1] != 2) )
return; /* cannot be DVI or unsupported version */
klen = data[14];
size = ec->get_size (ec->cls);
@@ -196,9 +197,11 @@ EXTRACTOR_dvi_extract_method (struct
EXTRACTOR_ExtractContext *ec)
off += iret;
}
pos = size - 1;
- while ((223 == data[pos]) && (pos > 0))
+ while ( (223 == data[pos]) &&
+ (pos > 0) )
pos--;
- if ((2 != data[pos]) || (pos < 40))
+ if ( (2 != data[pos]) ||
+ (pos < 40) )
goto CLEANUP;
pos--;
pos -= 4;
@@ -207,7 +210,8 @@ EXTRACTOR_dvi_extract_method (struct
EXTRACTOR_ExtractContext *ec)
goto CLEANUP;
opos = pos;
pos = getIntAt (&data[opos + 1]);
- if (pos + 25 > size)
+ if ( (pos + 25 > size) ||
+ (pos + 25 < pos) )
goto CLEANUP;
/* assert pos at 'post' command */
if (data[pos] != 248)
@@ -219,7 +223,8 @@ EXTRACTOR_dvi_extract_method (struct
EXTRACTOR_ExtractContext *ec)
{
if (UINT32_MAX == pos)
break;
- if (pos + 45 > size)
+ if ( (pos + 45 > size) ||
+ (pos + 45 < pos) )
goto CLEANUP;
if (data[pos] != 139) /* expect 'bop' */
goto CLEANUP;
@@ -268,7 +273,8 @@ EXTRACTOR_dvi_extract_method (struct
EXTRACTOR_ExtractContext *ec)
}
/* try to find PDF/ps special */
pos = opos;
- while (pos < size - 100)
+ while ( (size >= 100) &&
+ (pos < size - 100) )
{
switch (data[pos])
{
--
To stop receiving notification emails like this one, please contact
address@hidden
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] [libextractor] branch master updated: detect integer overflow in DVI extractor,
gnunet <=