cd9660: Don't parse RRIP records whose length overflows the sector boundary
PR: 272896 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: des, emaste Differential Revision: https://reviews.freebsd.org/D57135
This commit is contained in:
@@ -464,6 +464,7 @@ cd9660_rrip_loop(struct iso_directory_record *isodir, ISO_RRIP_ANALYZE *ana,
|
|||||||
RRIP_TABLE *ptable;
|
RRIP_TABLE *ptable;
|
||||||
ISO_SUSP_HEADER *phead;
|
ISO_SUSP_HEADER *phead;
|
||||||
ISO_SUSP_HEADER *pend;
|
ISO_SUSP_HEADER *pend;
|
||||||
|
ISO_SUSP_HEADER *pnext;
|
||||||
struct buf *bp = NULL;
|
struct buf *bp = NULL;
|
||||||
char *pwhead;
|
char *pwhead;
|
||||||
u_short c;
|
u_short c;
|
||||||
@@ -495,6 +496,21 @@ cd9660_rrip_loop(struct iso_directory_record *isodir, ISO_RRIP_ANALYZE *ana,
|
|||||||
* Note: "pend" should be more than one SUSP header
|
* Note: "pend" should be more than one SUSP header
|
||||||
*/
|
*/
|
||||||
while (pend >= phead + 1) {
|
while (pend >= phead + 1) {
|
||||||
|
/* Validate length. */
|
||||||
|
if (isonum_711(phead->length) < sizeof(*phead))
|
||||||
|
break;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Next SUSP
|
||||||
|
* Hopefully this works with newer versions, too
|
||||||
|
*/
|
||||||
|
pnext = (ISO_SUSP_HEADER *)((char *)phead +
|
||||||
|
isonum_711(phead->length));
|
||||||
|
|
||||||
|
/* If the record doesn't fit, break out of the loop. */
|
||||||
|
if (pnext > pend)
|
||||||
|
break;
|
||||||
|
|
||||||
if (isonum_711(phead->version) == 1) {
|
if (isonum_711(phead->version) == 1) {
|
||||||
for (ptable = table; ptable->func; ptable++) {
|
for (ptable = table; ptable->func; ptable++) {
|
||||||
if (phead->type[0] == ptable->type[0] &&
|
if (phead->type[0] == ptable->type[0] &&
|
||||||
@@ -510,14 +526,8 @@ cd9660_rrip_loop(struct iso_directory_record *isodir, ISO_RRIP_ANALYZE *ana,
|
|||||||
result &= ~ISO_SUSP_STOP;
|
result &= ~ISO_SUSP_STOP;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
/* plausibility check */
|
|
||||||
if (isonum_711(phead->length) < sizeof(*phead))
|
phead = pnext;
|
||||||
break;
|
|
||||||
/*
|
|
||||||
* move to next SUSP
|
|
||||||
* Hopefully this works with newer versions, too
|
|
||||||
*/
|
|
||||||
phead = (ISO_SUSP_HEADER *)((char *)phead + isonum_711(phead->length));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ana->fields && ana->iso_ce_len) {
|
if (ana->fields && ana->iso_ce_len) {
|
||||||
|
|||||||
Reference in New Issue
Block a user