From 7daeac0b9ad98c9cd5ea5f05d3028fe171ba403a Mon Sep 17 00:00:00 2001 From: Stuart Caie Date: Sat, 12 May 2018 10:51:34 +0100 Subject: [PATCH 1/3] =?UTF-8?q?Fix=20off-by-one=20bounds=20check=20on=20CH?= =?UTF-8?q?M=20PMGI/PMGL=20chunk=20numbers=20and=20reject=20empty=20filena?= =?UTF-8?q?mes.=20Thanks=20to=20Hanno=20B=C3=B6ck=20for=20reporting?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit (cherry picked from commit 72e70a921f0f07fee748aec2274b30784e1d312a) --- libmspack/trunk/mspack/chmd.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libmspack/trunk/mspack/chmd.c b/libmspack/trunk/mspack/chmd.c index 5a6ef54..b799154 100644 --- a/libmspack/trunk/mspack/chmd.c +++ b/libmspack/trunk/mspack/chmd.c @@ -1,5 +1,5 @@ /* This file is part of libmspack. - * (C) 2003-2011 Stuart Caie. + * (C) 2003-2018 Stuart Caie. * * libmspack is free software; you can redistribute it and/or modify it under * the terms of the GNU Lesser General Public License (LGPL) version 2.1 @@ -397,7 +397,7 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh, D(("first pmgl chunk is after last pmgl chunk")) return MSPACK_ERR_DATAFORMAT; } - if (chm->index_root != 0xFFFFFFFF && chm->index_root > chm->num_chunks) { + if (chm->index_root != 0xFFFFFFFF && chm->index_root >= chm->num_chunks) { D(("index_root outside valid range")) return MSPACK_ERR_DATAFORMAT; } @@ -447,7 +447,10 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh, while (num_entries--) { READ_ENCINT(name_len); if (name_len > (unsigned int) (end - p)) goto chunk_end; + /* consider blank filenames to be an error */ + if (name_len == 0) goto chunk_end; name = p; p += name_len; + READ_ENCINT(section); READ_ENCINT(offset); READ_ENCINT(length); @@ -622,7 +625,7 @@ static unsigned char *read_chunk(struct mschm_decompressor_p *self, unsigned char *buf; /* check arguments - most are already checked by chmd_fast_find */ - if (chunk_num > chm->num_chunks) return NULL; + if (chunk_num >= chm->num_chunks) return NULL; /* ensure chunk cache is available */ if (!chm->chunk_cache) { -- 2.18.0