FlapJackApps/libdivecomputer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix a buffer overflow

Browse Source 
The length field in the data is checked for the maximum size (e.g. the
size of the buffer), but there is no such check on the minimum size
(e.g. the size of the header). If the length is smaller, the code
accessed data before the start of the buffer.
This commit is contained in:
Jef Driesen 2019-04-15 13:36:33 +02:00
parent f37c3d3c86
commit 05a21bc8ee
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/mares_iconhd_parser.c
View File

@ -100,13 +100,13 @@ mares_iconhd_parser_cache (mares_iconhd_parser_t *parser)
else if (parser->model == SMARTAPNEA)
header = 6; // Type and number of samples only!
if (size < header + 4) {
if (size < 4) {
ERROR (abstract->context, "Buffer overflow detected!");
return DC_STATUS_DATAFORMAT;
}
unsigned int length = array_uint32_le (data);
if (length > size) {
if (length < 4 + header || length > size) {
ERROR (abstract->context, "Buffer overflow detected!");
return DC_STATUS_DATAFORMAT;
}
@ -146,7 +146,7 @@ mares_iconhd_parser_cache (mares_iconhd_parser_t *parser)
samplesize = 14;
}
if (length < headersize) {
if (length < 4 + headersize) {
ERROR (abstract->context, "Buffer overflow detected!");
return DC_STATUS_DATAFORMAT;
}