[Speex-dev] [PATCH]Add address overflow check
Jean-Marc Valin
jmvalin at jmvalin.ca
Fri Feb 9 15:56:20 UTC 2018
Pointers are unsigned so this shouldn't be an issue. I suspect you're
being hit by something else. That or your compiler is really broken.
Cheers,
Jean-Marc
On 02/09/2018 04:42 AM, Ruikai Liu wrote:
> Hi,
>
> I came into a crash when using 32-bit `speexdec` and found that there's
> an address overflow in function `print_comments()`:
>
> staticvoidprint_comments(char*comments, intlength)
>
> {
>
> char*c=comments;
>
> intlen, i, nb_fields;
>
> char*end;
>
>
> if(length<8)
>
> {
>
> fprintf (stderr, "Invalid/corrupted comments\n");
>
> return;
>
> }
>
> end = c+length;
>
> len=readint(c, 0);
>
> c+=4;
>
> // 'c+len' MAY OVERFLOW
>
> if(len < 0|| c+len>end)
>
> {
>
> fprintf (stderr, "Invalid/corrupted comments\n");
>
> return;
>
> }
>
>
> The pointer `c` happened to be greater than `0x80000000` and the sum
> overflowed, even though `length` is positive.
>
> Here's the patch code:
>
> *diff --git a/src/speexdec.c b/src/speexdec.c*
>
> *index 4721dc1..18786f1 100644*
>
> *--- a/src/speexdec.c*
>
> *+++ b/src/speexdec.c*
>
> @@ -105,7 +105,7 @@static void print_comments(char *comments, int length)
>
> end = c+length;
>
> len=readint(c, 0);
>
> c+=4;
>
> - if (len < 0 || c+len>end)
>
> + if (len < 0 || c+len>end || c+len<c)
>
> {
>
> fprintf (stderr, "Invalid/corrupted comments\n");
>
> return;
>
> @@ -129,7 +129,7 @@static void print_comments(char *comments, int length)
>
> }
>
> len=readint(c, 0);
>
> c+=4;
>
> - if (len < 0 || c+len>end)
>
> + if (len < 0 || c+len>end || c+len<c)
>
> {
>
> fprintf (stderr, "Invalid/corrupted comments\n");
>
> return;
>
>
> Thanks!
>
> --
> Best regards,
>
> Ruikai Liu
>
>
> _______________________________________________
> Speex-dev mailing list
> Speex-dev at xiph.org
> http://lists.xiph.org/mailman/listinfo/speex-dev
>
More information about the Speex-dev
mailing list