From b53a1583d05c3a5bfe5fa60da133fe59dfbb02b8 Mon Sep 17 00:00:00 2001
From: pancake <pancake@nopcode.org>
Date: Thu, 1 Dec 2022 13:57:46 +0100
Subject: [PATCH] Fix integer overflow in fuzzed dwarf rendering in graphs
 ##crash

* Reported by @solid-snail via huntrdev
* BountyID: c6f8d3ef-5420-4eba-9a5f-aba5e2b5fea2/
* Reproducer: `intof_mod`
---
 dist/docker/Dockerfile | 3 +++
 libr/core/canal.c      | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/dist/docker/Dockerfile b/dist/docker/Dockerfile
index af908b4aefbe9..f1c4467bacdb6 100644
--- a/dist/docker/Dockerfile
+++ b/dist/docker/Dockerfile
@@ -70,6 +70,9 @@ RUN DEBIAN_FRONTEND=noninteractive dpkg --add-architecture i386 && \
   bison \
   pkg-config \
   make \
+  python3 \
+  python3-pip \
+  sudo \
   glib-2.0 \
   libc6:i386 \
   libncurses5:i386 \
diff --git a/libr/core/canal.c b/libr/core/canal.c
index be6bd15326466..d858cefdfbfe0 100644
--- a/libr/core/canal.c
+++ b/libr/core/canal.c
@@ -1390,6 +1390,10 @@ static char *core_anal_graph_label(RCore *core, RAnalBlock *bb, int opts) {
 				filestr = r_file_slurp_line (file, line, 0);
 				if (filestr) {
 					int flen = strlen (filestr);
+					if (idx < 0 || ST32_ADD_OVFCHK (idx, flen + 8)) {
+						R_LOG_WARN ("integer overflow detected");
+						break;
+					}
 					cmdstr = realloc (cmdstr, idx + flen + 8);
 					memcpy (cmdstr + idx, filestr, flen);
 					idx += flen;