opencdk: read_attribute: added more precise checks when reading stream

That addresses heap read overflows found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=338
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=346

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c
index cdb47007a6183a85bcd0ba9717cee67ffbb2dbba..b999e1c000bcdf5d674d10c6c1c00725db255a27 100644 (file)
--- a/lib/opencdk/read-packet.c
+++ b/lib/opencdk/read-packet.c
@@ -482,46 +482,64 @@ read_attribute(cdk_stream_t inp, size_t pktlen, cdk_pkt_userid_t attr,
                return CDK_Out_Of_Core;
        rc = stream_read(inp, buf, pktlen, &nread);
        if (rc) {
-               cdk_free(buf);
-               return CDK_Inv_Packet;
+               gnutls_assert();
+               rc = CDK_Inv_Packet;
+               goto error;
        }
+
        p = buf;
        len = *p++;
        pktlen--;
+
        if (len == 255) {
+               if (pktlen < 4) {
+                       gnutls_assert();
+                       rc = CDK_Inv_Packet;
+                       goto error;
+               }
+
                len = _cdk_buftou32(p);
                p += 4;
                pktlen -= 4;
        } else if (len >= 192) {
                if (pktlen < 2) {
-                       cdk_free(buf);
-                       return CDK_Inv_Packet;
+                       gnutls_assert();
+                       rc = CDK_Inv_Packet;
+                       goto error;
                }
+
                len = ((len - 192) << 8) + *p + 192;
                p++;
                pktlen--;
        }
 
-       if (*p != 1) {          /* Currently only 1, meaning an image, is defined. */
-               cdk_free(buf);
-               return CDK_Inv_Packet;
+       if (!len || *p != 1) {          /* Currently only 1, meaning an image, is defined. */
+               rc = CDK_Inv_Packet;
+               goto error;
        }
+
        p++;
        len--;
 
        if (len >= pktlen) {
-               cdk_free(buf);
-               return CDK_Inv_Packet;
+               rc = CDK_Inv_Packet;
+               goto error;
        }
+
        attr->attrib_img = cdk_calloc(1, len);
        if (!attr->attrib_img) {
-               cdk_free(buf);
-               return CDK_Out_Of_Core;
+               rc = CDK_Out_Of_Core;
+               goto error;
        }
+
        attr->attrib_len = len;
        memcpy(attr->attrib_img, p, len);
        cdk_free(buf);
        return rc;
+
+ error:
+       cdk_free(buf);
+       return rc;
 }