Sanity check size passed to malloc...

Add sanity check before calling malloc in af_get_page() function to avoid undefined behavior (e.g., seg fault) when dealing with a corrupt AFF image with an invalid pagesize. Issue found by Luis Rocha ([email protected]).
sshock · Mar 11, 2018 · 435a2ca · 435a2ca
1 parent 0ddccaf
commit 435a2ca
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/lib/afflib_pages.cpp b/lib/afflib_pages.cpp
@@ -219,6 +219,11 @@ int af_get_page(AFFILE *af,int64_t pagenum,unsigned char *data,size_t *bytes)
 	    return -3;			// read error
 	}
 
+	/* Sanity check to avoid undefined behaviour when calling malloc below with pagesize from a corrupt AFF image. */
+	if(af->image_pagesize <= 0 || af->image_pagesize > 16*1024*1024)
+	    return -1;
+
+
 	/* Now uncompress directly into the buffer provided by the caller, unless the caller didn't
 	 * provide a buffer. If that happens, allocate our own...
 	 */