Fix a potential buffer overflow

2023-09-07 20:13:12 +02:00 · 2023-09-07 20:13:12 +02:00 · 072f0d4242
commit 072f0d4242
parent baa1c494c1
3 changed files with 25 additions and 0 deletions
--- a/src/atomics_cobalt.c
+++ b/src/atomics_cobalt.c
@ -41,6 +41,8 @@

 #define FP_OFFSET 20

+#define SZ_HEADER 228
+
 #define SZ_MEMORY1 (29 * 64 * 1024) // Cobalt 1
 #define SZ_MEMORY2 (41 * 64 * 1024) // Cobalt 2
 #define SZ_VERSION 14
@ -347,6 +349,12 @@ atomics_cobalt_device_foreach (dc_device_t *abstract, dc_dive_callback_t callbac
 			return DC_STATUS_SUCCESS;
 		}

+		if (size < SZ_HEADER) {
+			ERROR (abstract->context, "Dive header is too small (%u).", size);
+			dc_buffer_free (buffer);
+			return DC_STATUS_DATAFORMAT;
+		}
+
 		if (memcmp (data + FP_OFFSET, device->fingerprint, sizeof (device->fingerprint)) == 0) {
 			dc_buffer_free (buffer);
 			return DC_STATUS_SUCCESS;
--- a/src/citizen_aqualand.c
+++ b/src/citizen_aqualand.c
@ -31,6 +31,8 @@

 #define ISINSTANCE(device) dc_device_isinstance((device), &citizen_aqualand_device_vtable)

+#define SZ_HEADER 32
+
 typedef struct citizen_aqualand_device_t {
 	dc_device_t base;
 	dc_iostream_t *iostream;
@ -200,6 +202,12 @@ citizen_aqualand_device_foreach (dc_device_t *abstract, dc_dive_callback_t callb
 	unsigned char *data = dc_buffer_get_data (buffer);
 	unsigned int   size = dc_buffer_get_size (buffer);

+	if (size < SZ_HEADER) {
+		ERROR (abstract->context, "Dive header is too small (%u).", size);
+		dc_buffer_free (buffer);
+		return DC_STATUS_DATAFORMAT;
+	}
+
 	if (callback && memcmp (data + 0x05, device->fingerprint, sizeof (device->fingerprint)) != 0) {
 		callback (data, size, data + 0x05, sizeof (device->fingerprint), userdata);
 	}
--- a/src/cressi_edy.c
+++ b/src/cressi_edy.c
@ -38,6 +38,8 @@
 #define SZ_PACKET         0x80
 #define SZ_PAGE           (SZ_PACKET / 4)

+#define SZ_HEADER 32
+
 #define IQ700 0x05
 #define EDY   0x08

@ -522,6 +524,13 @@ cressi_edy_device_foreach (dc_device_t *abstract, dc_dive_callback_t callback, v
 			return rc;
 		}

+		if (length < SZ_HEADER) {
+			ERROR (abstract->context, "Dive header is too small (%u).", length);
+			dc_rbstream_free (rbstream);
+			free (buffer);
+			return DC_STATUS_DATAFORMAT;
+		}
+
 		unsigned char *p = buffer + offset;

 		if (memcmp (p, device->fingerprint, sizeof (device->fingerprint)) == 0)