From 4c5ed1eae5a9d08377114c615420219ad7deb708 Mon Sep 17 00:00:00 2001
From: "Saikrishna Ramdeni (sramdeni)" <sramdeni@cisco.com>
Date: Fri, 25 Jul 2025 07:21:11 +0000
Subject: [PATCH] Pull request #4819: Fixed issue Snort 3 VBA decompression
 read OOBs due to integer overflows

Merge in SNORT/snort3 from ~SRAMDENI/snort3:CSCwq23380_master to master

Squashed commit of the following:

commit 881e7e702d1e1893b120eaad91449d3aa2b1e038
Author: sramdeni <sramdeni@cisco.com>
Date:   Wed Jul 16 18:16:50 2025 +0530

    olefile_vba : Fixed issue Snort 3 VBA decompression read OOBs due to integer overflows
---
 src/decompress/file_olefile.cc | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/decompress/file_olefile.cc b/src/decompress/file_olefile.cc
index 32e521d2c..72d90f678 100644
--- a/src/decompress/file_olefile.cc
+++ b/src/decompress/file_olefile.cc
@@ -73,7 +73,8 @@ void OleFile :: walk_directory_list()
         const uint8_t* buf = file_buf;
         uint32_t start_offset = get_fat_offset(current_sector);
 
-        if ((start_offset + sector_size) > buf_len)
+        // Integer overflow check
+        if (start_offset + sector_size < start_offset || (start_offset + sector_size) > buf_len)
             return;
 
         buf += start_offset;
@@ -367,10 +368,14 @@ void OleFile :: populate_fat_list()
     current_sector = fat_sector;
     while (current_sector > INVALID_SECTOR)
     {
-        uint32_t byte_offset = OLE_HEADER_LEN + (current_sector * header->get_sector_size());
+        uint32_t sector_size = header->get_sector_size();
+        uint32_t byte_offset = OLE_HEADER_LEN + (current_sector * sector_size);
 
-        const uint8_t* buf = file_buf;
+        // Integer overflow check
+        if (byte_offset + sector_size < byte_offset || (byte_offset + sector_size) > buf_len)
+            return;
 
+        const uint8_t* buf = file_buf;
         buf += byte_offset;
 
         if ((byte_offset + header->get_sector_size()) > buf_len)
@@ -427,13 +432,14 @@ void OleFile :: populate_mini_fat_list()
     int32_t minfat_curr_cnt = 0;
     while (current_sector > INVALID_SECTOR)
     {
-        uint32_t byte_offset = OLE_HEADER_LEN + (current_sector * header->get_sector_size());
+        uint32_t sector_size = header->get_sector_size();
+        uint32_t byte_offset = OLE_HEADER_LEN + (current_sector * sector_size);
 
-        if ((byte_offset + header->get_sector_size()) > buf_len)
+        // Integer overflow check
+        if (byte_offset + sector_size < byte_offset || (byte_offset + sector_size) > buf_len)
             return;
 
         const uint8_t* buf = file_buf;
-
         buf += byte_offset;
 
         while ((count - (minfat_curr_cnt * max_secchain_cnt)) < max_secchain_cnt and count < mini_fat_list_len)
-- 
2.47.3