From: Ashutosh Gupta (ashugup3) Date: Thu, 24 Jul 2025 10:21:45 +0000 (+0000) Subject: Pull request #4810: decompress: avoiding heap buffer overflows X-Git-Tag: 3.9.3.0~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=37e769cb7cd54437a04156922317df767f8ad0a0;p=thirdparty%2Fsnort3.git Pull request #4810: decompress: avoiding heap buffer overflows Merge in SNORT/snort3 from ~ASHUGUP3/snort3:bug_CSCwq23373 to master Squashed commit of the following: commit 8729ea13efc7275a8c25f6091ab4bbd2909ee32d Author: ashutosh Date: Mon Jul 14 13:23:29 2025 +0530 decompress: avoiding heap buffer overflows --- diff --git a/src/decompress/file_olefile.cc b/src/decompress/file_olefile.cc index 4a453a702..32e521d2c 100644 --- a/src/decompress/file_olefile.cc +++ b/src/decompress/file_olefile.cc @@ -376,7 +376,7 @@ void OleFile :: populate_fat_list() if ((byte_offset + header->get_sector_size()) > buf_len) return; - while ((count - (fat_sector_curr_cnt * max_secchain_cnt)) < (max_secchain_cnt)) + while ((count - (fat_sector_curr_cnt * max_secchain_cnt)) < (max_secchain_cnt) and count < fat_list_len) { if (!header->get_byte_order()) fat_list[count] = LETOHL_UNALIGNED(buf); @@ -385,6 +385,9 @@ void OleFile :: populate_fat_list() count++; buf += 4; } + if (count >= fat_list_len) { + break; + } fat_sector_curr_cnt++; if (fat_sector_curr_cnt < MAX_DIFAT_SECTORS) current_sector = header->get_difat_array(fat_sector_curr_cnt); @@ -433,7 +436,7 @@ void OleFile :: populate_mini_fat_list() buf += byte_offset; - while ((count - (minfat_curr_cnt * max_secchain_cnt)) < max_secchain_cnt) + while ((count - (minfat_curr_cnt * max_secchain_cnt)) < max_secchain_cnt and count < mini_fat_list_len) { if (!header->get_byte_order()) mini_fat_list[count] = LETOHL_UNALIGNED(buf); @@ -442,6 +445,9 @@ void OleFile :: populate_mini_fat_list() count++; buf += 4; } + if (count >= mini_fat_list_len) { + break; + } minfat_curr_cnt++; int32_t next_sector = get_next_fat_sector(current_sector); if (next_sector > INVALID_SECTOR)