If ‘size’ was equal to UINT32_MAX, the expression ‘size+1’ could
overflow to zero.
This could result in inadequate memory being allocated, which could
cause ndr_pull_compression_xpress_huff_raw_chunk() to overflow memory
with zero bytes.
Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57728
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15415
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
}
ndr->alloc_size += NDR_BASE_MARSHALL_SIZE;
+ if (size == UINT32_MAX) {
+ return ndr_push_error(ndr, NDR_ERR_BUFSIZE, "Overflow in push_expand");
+ }
if (size+1 > ndr->alloc_size) {
ndr->alloc_size = size+1;
}
projects / thirdparty / samba.git / commitdiff
