From eafc415bc6067e72577f70d6dd5acbf057ce6e6f Mon Sep 17 00:00:00 2001 From: Bartek Fabiszewski Date: Wed, 27 Apr 2022 12:31:59 +0200 Subject: [PATCH] Fix wrong boundary checks in inflections parser resulting in stack buffer over-read with corrupt input --- ChangeLog | 1 + src/index.c | 8 ++------ 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8171034..b431347 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,4 @@ +2022-04-27: Fix wrong boundary checks in inflections parser resulting in stack buffer over-read with corrupt input 2022-04-26: Fix text formatting 2022-04-26: Fix array boundary check when parsing inflections which could result in buffer over-read with corrupt input 2022-04-23: Fix formatting diff --git a/src/index.c b/src/index.c index 7e4f3b7..ca83675 100644 --- a/src/index.c +++ b/src/index.c @@ -961,17 +961,13 @@ MOBI_RET mobi_decode_infl(unsigned char *decoded, int *decoded_size, const unsig } pos -= c - 10; dir = 0; - if (pos < 0 || pos > *decoded_size) { - debug_print("Position setting failed (%s)\n", decoded); - return MOBI_DATA_CORRUPT; - } } else { if (mod == 'i') { const unsigned char *s = decoded + pos; unsigned char *d = decoded + pos + 1; const int l = *decoded_size - pos; - if (l < 0 || d + l > decoded + INDX_INFLBUF_SIZEMAX) { + if (pos < 0 || l < 0 || d + l > decoded + INDX_INFLBUF_SIZEMAX) { debug_print("Out of buffer in %s at pos: %i\n", decoded, pos); return MOBI_DATA_CORRUPT; } @@ -984,7 +980,7 @@ MOBI_RET mobi_decode_infl(unsigned char *decoded, int *decoded_size, const unsig const unsigned char *s = decoded + pos + 1; unsigned char *d = decoded + pos; const int l = *decoded_size - pos; - if (l < 0 || d + l > decoded + INDX_INFLBUF_SIZEMAX) { + if (pos < 0 || l < 0 || s + l > decoded + INDX_INFLBUF_SIZEMAX) { debug_print("Out of buffer in %s at pos: %i\n", decoded, pos); return MOBI_DATA_CORRUPT; }