Bug#872475: libisofs6: buffer under-read in read_rr_SL()

Thu, 17 Aug 2017 11:57:43 -0700 

Package: libisofs6
Version: 1.4.6-1

The read_rr_SL() function contains the following code:

  size_t size = strlen(*dest);
  *dest = realloc(*dest, strlen(*dest) + len + 2);
  if (*dest == NULL) {
      return ISO_OUT_OF_MEM;
  }
  /* it is a new compoenent, add the '/' */
  if ((*dest)[size-1] != '/') {
      (*dest)[size] = '/';
      (*dest)[size+1] = '\0';
  }

This works correctly if the *dest string is non-empty.
But if the string was empty, then size would be 0, and this would try to read one byte before the allocated buffer. 

The bug can be reproduced with the attached ISO image:

  $ valgrind xorriso -indev underread.iso -ls
  ...
  ==7162== Invalid read of size 1
  ==7162==    at 0x49A96AC: read_rr_SL (rockridge_read.c:382)
  ==7162==    by 0x49855FE: iso_file_source_new_ifs.constprop.36 
(fs_image.c:1688)
  ==7162==    by 0x4985EC1: ifs_get_root (fs_image.c:2140)
  ==7162==    by 0x498D964: iso_image_import (fs_image.c:5736)
  ==7162==    by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
  ==7162==    by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
  ==7162==    by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
  ==7162==    by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
  ==7162==    by 0x108BA6: main (xorriso_main.c:265)
  ==7162==  Address 0x510eaef is 1 bytes before a block of size 3 alloc'd
  ==7162==    at 0x483047C: realloc (in 
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==7162==    by 0x49A968E: read_rr_SL (rockridge_read.c:377)
  ==7162==    by 0x49855FE: iso_file_source_new_ifs.constprop.36 
(fs_image.c:1688)
  ==7162==    by 0x4985EC1: ifs_get_root (fs_image.c:2140)
  ==7162==    by 0x498D964: iso_image_import (fs_image.c:5736)
  ==7162==    by 0x486B4E6: isoburn_read_image (isofs_wrap.c:316)
  ==7162==    by 0x48CC706: Xorriso_aquire_drive (drive_mgt.c:565)
  ==7162==    by 0x48AE9A8: Xorriso_option_dev (opts_d_h.c:122)
  ==7162==    by 0x48A0924: Xorriso_interpreter (parse_exec.c:1389)
  ==7162==    by 0x108BA6: main (xorriso_main.c:265)
  ...

Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Architecture: i386

Versions of packages libisofs6 depends on:
ii  libacl1  2.2.52-3+b1
ii  libc6    2.24-14
ii  libjte1  1.20-2+b1
ii  zlib1g   1:1.2.8.dfsg-5

--
Jakub Wilk

Reply via email to