From bf2471f59ecc1aa45645d967bc9fa0efa3de3556 Mon Sep 17 00:00:00 2001 From: Koji Arai Date: Sat, 16 Jan 2016 21:28:44 +0900 Subject: [PATCH] Avoid the buffer overflow BUG to occur to read the level0 or level1 header --- src/header.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/src/header.c b/src/header.c index ca0d037..516ab5d 100644 --- a/src/header.c +++ b/src/header.c @@ -788,6 +788,7 @@ get_header_level0(fp, hdr, data) char *data; { size_t header_size; + ssize_t remain_size; ssize_t extend_size; int checksum; int name_length; @@ -797,8 +798,14 @@ get_header_level0(fp, hdr, data) hdr->header_size = header_size = get_byte(); checksum = get_byte(); - if (fread(data + COMMON_HEADER_SIZE, - header_size + 2 - COMMON_HEADER_SIZE, 1, fp) == 0) { + /* The data variable has been already read as COMMON_HEADER_SIZE bytes. + So we must read the remaining header size by the header_size. */ + remain_size = header_size + 2 - COMMON_HEADER_SIZE; + if (remain_size <= 0) { + error("Invalid header size (LHarc file ?)"); + return FALSE; + } + if (fread(data + COMMON_HEADER_SIZE, remain_size, 1, fp) == 0) { error("Invalid header (LHarc file ?)"); return FALSE; /* finish */ } @@ -904,6 +911,7 @@ get_header_level1(fp, hdr, data) char *data; { size_t header_size; + ssize_t remain_size; ssize_t extend_size; int checksum; int name_length; @@ -913,8 +921,14 @@ get_header_level1(fp, hdr, data) hdr->header_size = header_size = get_byte(); checksum = get_byte(); - if (fread(data + COMMON_HEADER_SIZE, - header_size + 2 - COMMON_HEADER_SIZE, 1, fp) == 0) { + /* The data variable has been already read as COMMON_HEADER_SIZE bytes. + So we must read the remaining header size by the header_size. */ + remain_size = header_size + 2 - COMMON_HEADER_SIZE; + if (remain_size <= 0) { + error("Invalid header size (LHarc file ?)"); + return FALSE; + } + if (fread(data + COMMON_HEADER_SIZE, remain_size, 1, fp) == 0) { error("Invalid header (LHarc file ?)"); return FALSE; /* finish */ } -- 2.1.4