From a4dcb0ecf632832258ebb523c6bc39b7b94f8775 Mon Sep 17 00:00:00 2001
From: Daniel Brahneborg <basic@chello.se>
Date: Sun, 3 Mar 2002 22:02:40 +0000
Subject: Add buffer overflow checks to handle truncated and corrupted sis
 files.

---
 lib/sisfilerecord.cpp | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

(limited to 'lib/sisfilerecord.cpp')

diff --git a/lib/sisfilerecord.cpp b/lib/sisfilerecord.cpp
index cb2665c..baa5776 100644
--- a/lib/sisfilerecord.cpp
+++ b/lib/sisfilerecord.cpp
@@ -25,9 +25,12 @@
 
 #include <stdio.h>
 
-void
-SISFileRecord::fillFrom(uchar* buf, int* base, SISFile* sisFile)
+SisRC
+SISFileRecord::fillFrom(uchar* buf, int* base, off_t len, SISFile* sisFile)
 {
+	if (*base + 28 + 4 * 2 > len)
+		return SIS_TRUNCATED;
+
 	uchar* p = buf + *base;
 	int size = 0;
 	m_flags = read32(p);
@@ -79,27 +82,33 @@ SISFileRecord::fillFrom(uchar* buf, int* base, SISFile* sisFile)
 			int n = sisFile->m_header.m_nlangs;
 			m_fileLengths = new uint32[n];
 			m_filePtrs = new uint32[n];
+			if (*base + size + n * 8 > len)
+				return SIS_TRUNCATED;
 			for (int i = 0; i < n; ++i)
 				{
 				m_fileLengths[i] = read32(p + size);
+				if (m_fileLengths[i] > len)
+					return SIS_TRUNCATED;
 				size += 4;
 				}
 			for (int i = 0; i < n; ++i)
 				{
 				m_filePtrs[i] = read32(p + size);
+				int fileLen = m_fileLengths[i];
+				if (m_filePtrs[i] + fileLen > len)
+					return SIS_TRUNCATED;
 				size += 4;
-				int len = m_fileLengths[i];
 				if (logLevel >= 2)
 					printf("File %d (for %s) is %d bytes long (at %d)\n",
 						   i,
 						   sisFile->getLanguage(i)->m_name,
-						   len,
+						   fileLen,
 						   m_filePtrs[i]);
 				if (logLevel >= 1)
 					printf("%d .. %d (%d bytes): File record (%s) for %.*s\n",
 						   m_filePtrs[i],
-						   m_filePtrs[i] + len,
-						   len,
+						   m_filePtrs[i] + fileLen,
+						   fileLen,
 						   sisFile->getLanguage(i)->m_name,
 						   m_destLength, buf + m_destPtr);
 				}
@@ -111,5 +120,6 @@ SISFileRecord::fillFrom(uchar* buf, int* base, SISFile* sisFile)
 				printf("Unknown file flags %d\n", m_flags);
 		}
 	*base += size;
+	return SIS_OK;
 }
 
-- 
cgit v1.2.3