signature: checks for integer overflow in limits propagation

(cherry picked from commit 61c327dd80f02484481cbea6d48168063ae90a69)

diff --git a/src/detect-content.c b/src/detect-content.c
index 8f7ddea46165c38adc027f4b8354cc965027135c..2217943d7f62b030620877c7121710f8caf902eb 100644 (file)
--- a/src/detect-content.c
+++ b/src/detect-content.c
@@ -545,7 +545,11 @@ void DetectContentPropagateLimits(Signature *s)
                             (cd->flags & (DETECT_CONTENT_DEPTH|DETECT_CONTENT_OFFSET|DETECT_CONTENT_WITHIN|DETECT_CONTENT_DISTANCE)) == (DETECT_CONTENT_DISTANCE)) {
                         if (cd->distance >= 0) {
                             // only distance
-                            offset = cd->offset = offset_plus_pat + cd->distance;
+                            if ((uint32_t)offset_plus_pat + cd->distance <= UINT16_MAX) {
+                                offset = cd->offset = offset_plus_pat + cd->distance;
+                            } else {
+                                SCLogDebug("not updated content offset as it would overflow : %u + %d", offset_plus_pat, cd->distance);
+                            }
                             offset_plus_pat = offset + cd->content_len;
                             SCLogDebug("offset %u offset_plus_pat %u", offset, offset_plus_pat);
                         }
@@ -710,6 +714,8 @@ static int DetectContentDepthTest01(void)
     // hi end: depth '13' (4+9) + distance 55 = 68 + within 2 = 70
     TEST_RUN("content:\"=\"; offset:4; depth:9; content:\"=&\"; distance:55; within:2;", 60, 70);
 
+    TEST_RUN("content:\"0123456789\"; content:\"abcdef\"; distance:2147483647;", 10, 0);
+
     TEST_DONE;
 }