sys-file-reader: Fix integer overflows in parse_long_string_missing_values().

Crafted system files caused integer overflow errors that in turn caused
aborts.  This fixes the problem.

CVE-2017-10791.
See also https://bugzilla.redhat.com/show_bug.cgi?id=1467004.
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866890.
See also https://security-tracker.debian.org/tracker/CVE-2017-10791.
Found by team OWL337, using the collAFL fuzzer.

diff --git a/src/data/sys-file-reader.c b/src/data/sys-file-reader.c
index 1745d1dcf2db165bf8c3f3f149bd405532e634f3..d1676564d8aa965f831465418a10ad22cfd13400 100644 (file)
--- a/src/data/sys-file-reader.c
+++ b/src/data/sys-file-reader.c
@@ -2463,7 +2463,8 @@ parse_long_string_value_labels (struct sfm_reader *r,
       ofs += 4;
 
       /* Parse variable name, width, and number of labels. */
-      if (!check_overflow (r, record, ofs, var_name_len + 8))
+      if (!check_overflow (r, record, ofs, var_name_len)
+          || !check_overflow (r, record, ofs, var_name_len + 8))
         return;
       var_name = recode_string_pool ("UTF-8", dict_encoding,
                                      (const char *) record->data + ofs,
@@ -2581,7 +2582,8 @@ parse_long_string_missing_values (struct sfm_reader *r,
       ofs += 4;
 
       /* Parse variable name. */
-      if (!check_overflow (r, record, ofs, var_name_len + 1))
+      if (!check_overflow (r, record, ofs, var_name_len)
+          || !check_overflow (r, record, ofs, var_name_len + 1))
         return;
       var_name = recode_string_pool ("UTF-8", dict_encoding,
                                      (const char *) record->data + ofs,