From a4dcb0ecf632832258ebb523c6bc39b7b94f8775 Mon Sep 17 00:00:00 2001
From: Daniel Brahneborg <basic@chello.se>
Date: Sun, 3 Mar 2002 22:02:40 +0000
Subject: Add buffer overflow checks to handle truncated and corrupted sis
 files.

---
 lib/sisreqrecord.cpp | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

(limited to 'lib/sisreqrecord.cpp')

diff --git a/lib/sisreqrecord.cpp b/lib/sisreqrecord.cpp
index 75d9e51..c13308e 100644
--- a/lib/sisreqrecord.cpp
+++ b/lib/sisreqrecord.cpp
@@ -25,9 +25,13 @@
 
 #include <stdio.h>
 
-void
-SISReqRecord::fillFrom(uchar* buf, int* base, SISFile* sisFile)
+SisRC
+SISReqRecord::fillFrom(uchar* buf, int* base, off_t len, SISFile* sisFile)
 {
+	int n = sisFile->m_header.m_nreqs;
+	if (*base + 12 + n * 4 * 2)
+		return SIS_TRUNCATED;
+
 	uchar* p = buf + *base;
 	int size = 0;
 
@@ -35,7 +39,6 @@ SISReqRecord::fillFrom(uchar* buf, int* base, SISFile* sisFile)
 	m_major = read16(p + 4);
 	m_minor = read16(p + 6);
 	m_variant = read32(p + 8);
-	int n = sisFile->m_header.m_nreqs;
 	m_nameLengths = new uint32[n];
 	m_namePtrs = new uint32[n];
 
@@ -53,6 +56,11 @@ SISReqRecord::fillFrom(uchar* buf, int* base, SISFile* sisFile)
 	for (int i = 0; i < n; ++i)
 		{
 		m_namePtrs[i] = read32(p + size);
+		if (m_namePtrs[i] + m_nameLengths[i] > len)
+			{
+			printf("Position/length too large for req record %d.\n", i);
+			return SIS_CORRUPTED;
+			}
 		size += 4;
 		if (logLevel >= 2)
 			printf("Name %d (for %s) is %.*s\n",
@@ -65,5 +73,6 @@ SISReqRecord::fillFrom(uchar* buf, int* base, SISFile* sisFile)
 		printf("%d .. %d (%d bytes): Req record\n",
 			   *base, *base + size, size);
 	*base += size;
+	return SIS_OK;
 }
 
-- 
cgit v1.2.3