[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[PATCH] - libcheckisomd5.c buffer overrun



There's a possibility of a minor buffer overrun in libcheckisomd5.c due
to a faulty bounds check.

The code in question...
<snip>
    while (loc < 512) {
        if (!strncmp(buf2 + loc, "ISO MD5SUM = ", 13)) {

            /* make sure we dont walk off end */
            if ((loc + 32) > 511)
                return -1;

            memcpy(mediasum, buf2 + loc + 13, 32);
            mediasum[32] = '\0';
            md5fnd = 1;
            loc += 45;
            for (p=buf2+loc; *p != ';' && loc < 512; p++, loc++);

</snip>

The code checks to make sure that the current location plus 32 bytes is
within the buffer's 512 byte size:
            if ((loc + 32) > 511)
                return -1;

But on the very next line, there's a possibility of copying beyond
buf2's 512 byte static char array:
            memcpy(mediasum, buf2 + loc + 13, 32);

And a few lines later, the code moves the location forward by 45 bytes:
            loc += 45;

The memcpy seems unprotected to me.  This bug was found by Coverity, a
source code checker.  Patch follows.  Your thoughts?


:-Dustin

--- isomd5sum/libcheckisomd5.c.orig     2005-08-08 10:14:41.246617392
-0500
+++ isomd5sum/libcheckisomd5.c  2005-08-08 10:15:21.190544992 -0500
@@ -60,7 +60,7 @@ static int parsepvd(int isofd, char *med
        if (!strncmp(buf2 + loc, "ISO MD5SUM = ", 13)) {

            /* make sure we dont walk off end */
-           if ((loc + 32) > 511)
+           if ((loc + 45) > 511)
                return -1;

            memcpy(mediasum, buf2 + loc + 13, 32);

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]