[Speex-dev] [PATCH]Add address overflow check
Ruikai Liu
lrk700 at gmail.com
Fri Feb 9 09:42:30 UTC 2018
Hi,
I came into a crash when using 32-bit `speexdec` and found that there's an
address overflow in function `print_comments()`:
static void print_comments(char *comments, int length)
{
char *c=comments;
int len, i, nb_fields;
char *end;
if (length<8)
{
fprintf (stderr, "Invalid/corrupted comments\n");
return;
}
end = c+length;
len=readint(c, 0);
c+=4;
// 'c+len' MAY OVERFLOW
if (len < 0 || c+len>end)
{
fprintf (stderr, "Invalid/corrupted comments\n");
return;
}
The pointer `c` happened to be greater than `0x80000000` and the sum
overflowed, even though `length` is positive.
Here's the patch code:
*diff --git a/src/speexdec.c b/src/speexdec.c*
*index 4721dc1..18786f1 100644*
*--- a/src/speexdec.c*
*+++ b/src/speexdec.c*
@@ -105,7 +105,7 @@ static void print_comments(char *comments, int length)
end = c+length;
len=readint(c, 0);
c+=4;
- if (len < 0 || c+len>end)
+ if (len < 0 || c+len>end || c+len<c)
{
fprintf (stderr, "Invalid/corrupted comments\n");
return;
@@ -129,7 +129,7 @@ static void print_comments(char *comments, int length)
}
len=readint(c, 0);
c+=4;
- if (len < 0 || c+len>end)
+ if (len < 0 || c+len>end || c+len<c)
{
fprintf (stderr, "Invalid/corrupted comments\n");
return;
Thanks!
--
Best regards,
Ruikai Liu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xiph.org/pipermail/speex-dev/attachments/20180209/9db2091b/attachment.html>
More information about the Speex-dev
mailing list