]> git.ipfire.org Git - thirdparty/snort3.git/commitdiff
projects / thirdparty / snort3.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e5ca881)
Pull request #4810: decompress: avoiding heap buffer overflows
authorAshutosh Gupta (ashugup3) <ashugup3@cisco.com>
Thu, 24 Jul 2025 10:21:45 +0000 (10:21 +0000)
committerLokesh Bevinamarad (lbevinam) <lbevinam@cisco.com>
Thu, 24 Jul 2025 10:21:45 +0000 (10:21 +0000)
Merge in SNORT/snort3 from ~ASHUGUP3/snort3:bug_CSCwq23373 to master

Squashed commit of the following:

commit 8729ea13efc7275a8c25f6091ab4bbd2909ee32d
Author: ashutosh <ashugup3@cisco.com>
Date:   Mon Jul 14 13:23:29 2025 +0530

    decompress: avoiding heap buffer overflows

src/decompress/file_olefile.cc patch | blob | blame | history

diff --git a/src/decompress/file_olefile.cc b/src/decompress/file_olefile.cc
index 4a453a7021efc07ac5bfab19e5aab1c4b713b93d..32e521d2c560e1b8e03a962f1a179e9ab87ec02d 100644 (file)
--- a/src/decompress/file_olefile.cc
+++ b/src/decompress/file_olefile.cc
@@ -376,7 +376,7 @@ void OleFile :: populate_fat_list()
         if ((byte_offset + header->get_sector_size()) > buf_len)
             return;
 
-        while ((count - (fat_sector_curr_cnt * max_secchain_cnt)) < (max_secchain_cnt))
+        while ((count - (fat_sector_curr_cnt * max_secchain_cnt)) < (max_secchain_cnt) and count < fat_list_len)
         {
             if (!header->get_byte_order())
                 fat_list[count] = LETOHL_UNALIGNED(buf);
@@ -385,6 +385,9 @@ void OleFile :: populate_fat_list()
             count++;
             buf += 4;
         }
+        if (count >= fat_list_len) {
+            break;
+        }
         fat_sector_curr_cnt++;
         if (fat_sector_curr_cnt < MAX_DIFAT_SECTORS)
             current_sector = header->get_difat_array(fat_sector_curr_cnt);
@@ -433,7 +436,7 @@ void OleFile :: populate_mini_fat_list()
 
         buf += byte_offset;
 
-        while ((count - (minfat_curr_cnt * max_secchain_cnt)) < max_secchain_cnt)
+        while ((count - (minfat_curr_cnt * max_secchain_cnt)) < max_secchain_cnt and count < mini_fat_list_len)
         {
             if (!header->get_byte_order())
                 mini_fat_list[count] = LETOHL_UNALIGNED(buf);
@@ -442,6 +445,9 @@ void OleFile :: populate_mini_fat_list()
             count++;
             buf += 4;
         }
+        if (count >= mini_fat_list_len) {
+            break;
+        }
         minfat_curr_cnt++;
         int32_t next_sector = get_next_fat_sector(current_sector);
         if (next_sector > INVALID_SECTOR)
Mirror of https://github.com/snort3/snort3.git