Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
SUSE:SLE-15-SP4:Update
zchunk
CVE-2023-46228.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2023-46228.patch of Package zchunk
From 08aec2b4dfd7f709b6e3d511411ffcc83ed4efbe Mon Sep 17 00:00:00 2001 From: Jonathan Dieter <jdieter@gmail.com> Date: Thu, 5 Oct 2023 19:52:18 +0100 Subject: [PATCH] Handle overflow errors in malformed zchunk files Thanks to Agostino Sarubbo of Gentoo for the heads up! Signed-off-by: Jonathan Dieter <jdieter@gmail.com> --- src/lib/comp/comp.c | 6 ++++++ src/lib/comp/zstd/zstd.c | 6 ++++++ src/lib/dl/multipart.c | 6 ++++++ src/lib/header.c | 12 ++++++++++++ 4 files changed, 30 insertions(+) --- a/src/lib/comp/comp.c +++ b/src/lib/comp/comp.c @@ -115,6 +115,12 @@ static bool comp_add_to_data(zckCtx *zck ALLOCD_BOOL(zck, comp); ALLOCD_BOOL(zck, src); + if((comp->data_size > comp->data_size + src_size) || + (src_size > comp->data_size + src_size)) { + zck_log(ZCK_LOG_ERROR, "Integer overflow when reading data"); + return false; + } + comp->data = zrealloc(comp->data, comp->data_size + src_size); zck_log(ZCK_LOG_DEBUG, "Adding %lu bytes to compressed buffer", src_size); --- a/src/lib/comp/zstd/zstd.c +++ b/src/lib/comp/zstd/zstd.c @@ -115,6 +115,12 @@ static ssize_t compress(zckCtx *zck, zck ALLOCD_INT(zck, dst_size); ALLOCD_INT(zck, comp); + if((comp->dc_data_size > comp->dc_data_size + src_size) || + (src_size > comp->dc_data_size + src_size)) { + zck_log(ZCK_LOG_ERROR, "Integer overflow when reading decompressed data"); + return false; + } + comp->dc_data = zrealloc(comp->dc_data, comp->dc_data_size + src_size); memcpy(comp->dc_data + comp->dc_data_size, src, src_size); --- a/src/lib/dl/multipart.c +++ b/src/lib/dl/multipart.c @@ -119,6 +119,12 @@ size_t multipart_extract(zckDL *dl, char /* Add new data to stored buffer */ if(mp->buffer) { + if((mp->buffer_len > mp->buffer_len + l) || + (l > mp->buffer_len + l)) { + zck_log(ZCK_LOG_ERROR, "Integer overflow when extracting multipart data"); + return 0; + } + buf = zrealloc(mp->buffer, mp->buffer_len + l); memcpy(buf + mp->buffer_len, b, l); l = mp->buffer_len + l; --- a/src/lib/header.c +++ b/src/lib/header.c @@ -59,6 +59,12 @@ static bool read_optional_element(zckCtx } static bool read_header_from_file(zckCtx *zck) { + if((zck->lead_size > zck->lead_size + zck->header_length) || + (zck->header_length > zck->lead_size + zck->header_length)) { + zck_log(ZCK_LOG_ERROR, "Integer overflow when reading header"); + return false; + } + /* Allocate header and store any extra bytes at beginning of header */ zck->header = zrealloc(zck->header, zck->lead_size + zck->header_length); zck->lead_string = zck->header; @@ -444,6 +450,12 @@ static bool read_lead(zckCtx *zck) { /* Set header digest location */ zck->hdr_digest_loc = length; + /* Verify that we're not going to overflow */ + if(length > length + zck->hash_type.digest_size) { + zck_log(ZCK_LOG_ERROR, "Integer overflow when reading lead"); + return false; + } + /* Read header digest */ zck_log(ZCK_LOG_DEBUG, "Reading header digest"); header = zrealloc(header, length + zck->hash_type.digest_size);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor