Crafted system files caused integer overflow errors that in turn caused
aborts. This fixes the problem.
CVE-2017-10791.
See also https://bugzilla.redhat.com/show_bug.cgi?id=
1467004.
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866890.
See also https://security-tracker.debian.org/tracker/CVE-2017-10791.
Found by team OWL337, using the collAFL fuzzer.
ofs += 4;
/* Parse variable name, width, and number of labels. */
ofs += 4;
/* Parse variable name, width, and number of labels. */
- if (!check_overflow (r, record, ofs, var_name_len + 8))
+ if (!check_overflow (r, record, ofs, var_name_len)
+ || !check_overflow (r, record, ofs, var_name_len + 8))
return;
var_name = recode_string_pool ("UTF-8", dict_encoding,
(const char *) record->data + ofs,
return;
var_name = recode_string_pool ("UTF-8", dict_encoding,
(const char *) record->data + ofs,
ofs += 4;
/* Parse variable name. */
ofs += 4;
/* Parse variable name. */
- if (!check_overflow (r, record, ofs, var_name_len + 1))
+ if (!check_overflow (r, record, ofs, var_name_len)
+ || !check_overflow (r, record, ofs, var_name_len + 1))
return;
var_name = recode_string_pool ("UTF-8", dict_encoding,
(const char *) record->data + ofs,
return;
var_name = recode_string_pool ("UTF-8", dict_encoding,
(const char *) record->data + ofs,