Pull request #4819: Fixed issue Snort 3 VBA decompression read OOBs due to integer...

author Saikrishna Ramdeni (sramdeni) <sramdeni@cisco.com>

Fri, 25 Jul 2025 07:21:11 +0000 (07:21 +0000)

committer Lokesh Bevinamarad (lbevinam) <lbevinam@cisco.com>

Fri, 25 Jul 2025 07:21:11 +0000 (07:21 +0000)
author Saikrishna Ramdeni (sramdeni) <sramdeni@cisco.com>
Fri, 25 Jul 2025 07:21:11 +0000 (07:21 +0000)
committer Lokesh Bevinamarad (lbevinam) <lbevinam@cisco.com>
Fri, 25 Jul 2025 07:21:11 +0000 (07:21 +0000)
diff --git a/src/decompress/file_olefile.cc b/src/decompress/file_olefile.cc

index 32e521d2c560e1b8e03a962f1a179e9ab87ec02d..72d90f678054ecff8bde95009c3b854e2293ae57 100644 (file)
--- a/src/decompress/file_olefile.cc
+++ b/src/decompress/file_olefile.cc
@@ -73,7 +73,8 @@ void OleFile :: walk_directory_list()
          const uint8_t* buf = file_buf;
          uint32_t start_offset = get_fat_offset(current_sector);
  
-        if ((start_offset + sector_size) > buf_len)
+        // Integer overflow check
+        if (start_offset + sector_size < start_offset || (start_offset + sector_size) > buf_len)
              return;
  
          buf += start_offset;
@@ -367,10 +368,14 @@ void OleFile :: populate_fat_list()
      current_sector = fat_sector;
      while (current_sector > INVALID_SECTOR)
      {
-        uint32_t byte_offset = OLE_HEADER_LEN + (current_sector * header->get_sector_size());
+        uint32_t sector_size = header->get_sector_size();
+        uint32_t byte_offset = OLE_HEADER_LEN + (current_sector * sector_size);
  
-        const uint8_t* buf = file_buf;
+        // Integer overflow check
+        if (byte_offset + sector_size < byte_offset || (byte_offset + sector_size) > buf_len)
+            return;
  
+        const uint8_t* buf = file_buf;
          buf += byte_offset;
  
          if ((byte_offset + header->get_sector_size()) > buf_len)
@@ -427,13 +432,14 @@ void OleFile :: populate_mini_fat_list()
      int32_t minfat_curr_cnt = 0;
      while (current_sector > INVALID_SECTOR)
      {
-        uint32_t byte_offset = OLE_HEADER_LEN + (current_sector * header->get_sector_size());
+        uint32_t sector_size = header->get_sector_size();
+        uint32_t byte_offset = OLE_HEADER_LEN + (current_sector * sector_size);
  
-        if ((byte_offset + header->get_sector_size()) > buf_len)
+        // Integer overflow check
+        if (byte_offset + sector_size < byte_offset || (byte_offset + sector_size) > buf_len)
              return;
  
          const uint8_t* buf = file_buf;
-
          buf += byte_offset;
  
          while ((count - (minfat_curr_cnt * max_secchain_cnt)) < max_secchain_cnt and count < mini_fat_list_len)
author	Saikrishna Ramdeni (sramdeni) <sramdeni@cisco.com>
	Fri, 25 Jul 2025 07:21:11 +0000 (07:21 +0000)
committer	Lokesh Bevinamarad (lbevinam) <lbevinam@cisco.com>
	Fri, 25 Jul 2025 07:21:11 +0000 (07:21 +0000)