package/file/0001-Detect-multiplication-overflow-when-computing-sector.patch - buildroot - Git at Google

 From 06de62c022138f63de9bcd04074491945eaa8662 Mon Sep 17 00:00:00 2001
 From: Christos Zoulas <christos@zoulas.com>
 Date: Fri, 23 Aug 2019 14:29:14 +0000
 Subject: [PATCH] Detect multiplication overflow when computing sector position
  (found by oss-fuzz)

 Fixes CVE-2019-18218

 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 ---
  src/cdf.c | 20 +++++++++++++++++---
  1 file changed, 17 insertions(+), 3 deletions(-)

 diff --git a/src/cdf.c b/src/cdf.c
 index 556a3ff8..9d639674 100644
 --- a/src/cdf.c
 +++ b/src/cdf.c
 @@ -35,7 +35,7 @@
  #include "file.h"

  #ifndef lint
 -FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:27 christos Exp $")
 +FILE_RCSID("@(#)$File: cdf.c,v 1.115 2019/08/23 14:29:14 christos Exp $")
  #endif

  #include <assert.h>
 @@ -53,6 +53,10 @@ FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:27 christos Exp $")
  #define EFTYPE EINVAL
  #endif

 +#ifndef SIZE_T_MAX
 +#define SIZE_T_MAX CAST(size_t, ~0ULL)
 +#endif
 +
  #include "cdf.h"

  #ifdef CDF_DEBUG
 @@ -405,7 +409,12 @@ cdf_read_sector(const cdf_info_t *info, void *buf, size_t offs, size_t len,
      const cdf_header_t *h, cdf_secid_t id)
  {
  	size_t ss = CDF_SEC_SIZE(h);
 -	size_t pos = CDF_SEC_POS(h, id);
 +	size_t pos;
 +
 +	if (SIZE_T_MAX / ss < CAST(size_t, id))
 +		return -1;
 +
 +	pos = CDF_SEC_POS(h, id);
  	assert(ss == len);
  	return cdf_read(info, CAST(off_t, pos), RCAST(char *, buf) + offs, len);
  }
 @@ -415,7 +424,12 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
      size_t len, const cdf_header_t *h, cdf_secid_t id)
  {
  	size_t ss = CDF_SHORT_SEC_SIZE(h);
 -	size_t pos = CDF_SHORT_SEC_POS(h, id);
 +	size_t pos;
 +
 +	if (SIZE_T_MAX / ss < CAST(size_t, id))
 +		return -1;
 +
 +	pos = CDF_SHORT_SEC_POS(h, id);
  	assert(ss == len);
  	if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
  		DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
 --
 2.20.1
	From 06de62c022138f63de9bcd04074491945eaa8662 Mon Sep 17 00:00:00 2001
	From: Christos Zoulas <christos@zoulas.com>
	Date: Fri, 23 Aug 2019 14:29:14 +0000
	Subject: [PATCH] Detect multiplication overflow when computing sector position
	(found by oss-fuzz)

	Fixes CVE-2019-18218

	Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
	---
	src/cdf.c \| 20 +++++++++++++++++---
	1 file changed, 17 insertions(+), 3 deletions(-)

	diff --git a/src/cdf.c b/src/cdf.c
	index 556a3ff8..9d639674 100644
	--- a/src/cdf.c
	+++ b/src/cdf.c
	@@ -35,7 +35,7 @@
	#include "file.h"

	#ifndef lint
	-FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:27 christos Exp $")
	+FILE_RCSID("@(#)$File: cdf.c,v 1.115 2019/08/23 14:29:14 christos Exp $")
	#endif

	#include <assert.h>
	@@ -53,6 +53,10 @@ FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:27 christos Exp $")
	#define EFTYPE EINVAL
	#endif

	+#ifndef SIZE_T_MAX
	+#define SIZE_T_MAX CAST(size_t, ~0ULL)
	+#endif
	+
	#include "cdf.h"

	#ifdef CDF_DEBUG
	@@ -405,7 +409,12 @@ cdf_read_sector(const cdf_info_t info, void buf, size_t offs, size_t len,
	const cdf_header_t *h, cdf_secid_t id)
	{
	size_t ss = CDF_SEC_SIZE(h);
	- size_t pos = CDF_SEC_POS(h, id);
	+ size_t pos;
	+
	+ if (SIZE_T_MAX / ss < CAST(size_t, id))
	+ return -1;
	+
	+ pos = CDF_SEC_POS(h, id);
	assert(ss == len);
	return cdf_read(info, CAST(off_t, pos), RCAST(char *, buf) + offs, len);
	}
	@@ -415,7 +424,12 @@ cdf_read_short_sector(const cdf_stream_t sst, void buf, size_t offs,
	size_t len, const cdf_header_t *h, cdf_secid_t id)
	{
	size_t ss = CDF_SHORT_SEC_SIZE(h);
	- size_t pos = CDF_SHORT_SEC_POS(h, id);
	+ size_t pos;
	+
	+ if (SIZE_T_MAX / ss < CAST(size_t, id))
	+ return -1;
	+
	+ pos = CDF_SHORT_SEC_POS(h, id);
	assert(ss == len);
	if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
	DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
	--
	2.20.1