s3:registry: Check for integer overflow

"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source3/registry/regfio.c:175: tainted_data_argument: The check ""bytes_read < block_size"" contains the tainted expression ""bytes_read"" which causes ""block_size"" to be considered tainted.
samba-4.20.0rc2/source3/registry/regfio.c:176: overflow: The expression ""block_size - bytes_read"" is deemed overflowed because at least one of its arguments has overflowed.
samba-4.20.0rc2/source3/registry/regfio.c:176: overflow_sink: ""block_size - bytes_read"", which might have underflowed, is passed to ""read(file->fd, buffer + bytes_read, block_size - bytes_read)"". [Note: The source code implementation of the function has been overridden by a builtin model.]
  174|
  175|   	while ( bytes_read < block_size ) {
  176|-> 		if ( (returned = read( file->fd, buffer+bytes_read, block_size-bytes_read )) == -1 ) {
  177|   			DEBUG(0,(""read_block: read() failed (%s)\n"", strerror(errno) ));
  178|   			return False;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

diff --git a/source3/registry/regfio.c b/source3/registry/regfio.c
index e7bb8d18f8f97139fc07ecda5ae08e4b4aa54f0e..3756c8cdb1300aebab715434e427e33775888f86 100644 (file)
--- a/source3/registry/regfio.c
+++ b/source3/registry/regfio.c
@@ -182,6 +182,10 @@ static int read_block( REGF_FILE *file, prs_struct *ps, uint32_t file_offset, ui
                        return False;
                }
 
+               if (returned < 0 || bytes_read > INT_MAX - returned) {
+                       DBG_ERR("Integer overflow\n");
+                       return false;
+               }
                bytes_read += returned;
        }