From 435a2ca802358a3debb6d164d2c33049131df81c Mon Sep 17 00:00:00 2001 From: Phillip Hellewell Date: Sat, 10 Mar 2018 18:05:39 -0700 Subject: [PATCH] Sanity check size passed to malloc... Add sanity check before calling malloc in af_get_page() function to avoid undefined behavior (e.g., seg fault) when dealing with a corrupt AFF image with an invalid pagesize. Issue found by Luis Rocha (luiscrocha@gmail.com). --- lib/afflib_pages.cpp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/afflib_pages.cpp b/lib/afflib_pages.cpp index 2569c2a..f8cf775 100644 --- a/lib/afflib_pages.cpp +++ b/lib/afflib_pages.cpp @@ -219,6 +219,11 @@ int af_get_page(AFFILE *af,int64_t pagenum,unsigned char *data,size_t *bytes) return -3; // read error } + /* Sanity check to avoid undefined behaviour when calling malloc below with pagesize from a corrupt AFF image. */ + if(af->image_pagesize <= 0 || af->image_pagesize > 16*1024*1024) + return -1; + + /* Now uncompress directly into the buffer provided by the caller, unless the caller didn't * provide a buffer. If that happens, allocate our own... */