diff --git a/ChangeLog b/ChangeLog index c0b212a..2dd7469 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2017-08-05 Stuart Caie <kyzer@cabextract.org.uk> + + * cabd_read_string(): add missing error check on result of read(). + If an mspack_system implementation returns an error, it's interpreted + as a huge positive integer, which leads to reading past the end of the + stack-based buffer. Thanks to Sebastian Andrzej Siewior for explaining + the problem. This issue was raised by ClamAV as CVE-2017-11423 + 2015-05-10 Stuart Caie <kyzer@4u.net> * cabd_read_string(): correct rejection of empty strings. Thanks to diff --git a/mspack/cabd.c b/mspack/cabd.c index 16021ee..8b10934 100644 --- a/mspack/cabd.c +++ b/mspack/cabd.c @@ -521,10 +521,13 @@ static char *cabd_read_string(struct mspack_system *sys, { off_t base = sys->tell(fh); char buf[256], *str; - unsigned int len, i, ok; + int len, i, ok; /* read up to 256 bytes */ - len = sys->read(fh, &buf[0], 256); + if ((len = sys->read(fh, &buf[0], 256)) <= 0) { + *error = MSPACK_ERR_READ; + return NULL; + } /* search for a null terminator in the buffer */ for (i = 0, ok = 0; i < len; i++) if (!buf[i]) { ok = 1; break; }