On 2015-01-18 18:59:33 [+0100], Jakub Wilk wrote: > Sorry, it's me again! libmspack crashes on the attached file: As I've seen your ubsan reports, I assumed you were done. Wrong this was.
> $ gpg -d < crash.chm.asc > crash.chm > $ test/chmd_md5 crash.chm > *** crash.chm > > but it'd be better to fix the thing that sets "p" to a value past the "end". So something like the patch attached then?. But this should be double-checked in case we properly come to end and don't continue using p anymore. But not today… Sebastian
>From d78acf012a47fb4e868a87ef738a947ad3aa7ea3 Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Date: Sun, 18 Jan 2015 22:47:45 +0100 Subject: [PATCH] mspack/chmd: check p > end also after we left Jakub's AFL produced a case where "p" reads the name_len just just at the end of the buffer. The macro increases p and makes it bigger than end. The following oversize check fails on 32bit and booooom. The patch ensures that we check p vs end even after we legally leave the loop. Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> --- mspack/chmd.c | 1 + 1 file changed, 1 insertion(+) diff --git a/mspack/chmd.c b/mspack/chmd.c index 4caff45..22661f2 100644 --- a/mspack/chmd.c +++ b/mspack/chmd.c @@ -257,6 +257,7 @@ static const unsigned char guids[32] = { if (p > end) goto chunk_end; \ (var) = ((var) << 7) | (*p & 0x7F); \ } while (*p++ & 0x80); \ + if (p > end) goto chunk_end; \ } while (0) static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh, -- 2.1.3