On Mon, 25 May 2015, Hubert Chathi wrote: > the type of len from int to ushort. However, len is only ever set to > > len = (data[2] << 8 | data[3]) - 2 > > and so will always be less than 0x10000, so I don't see how len can > overflow with >= 32-bit ints. I can see how it could cause problems > with a signed 16-bit int, but unless I'm missing something, it shouldn't > affect Debian in any way, since all our arch's are >= 32-bits. > > Is that correct, or is my assessment wrong?
It appears to be wrong. See the analysis here: https://bugzilla.redhat.com/show_bug.cgi?id=1221249#c10 The problem is that you can trigger a negative "len" which will result in a very big number once implicitly converted to a size_t in the fread() call. BTW, RedHat uses a more comprehensive fix that bails out if the length ends us negative: https://bugzilla.redhat.com/attachment.cgi?id=1027072&action=diff Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
