Package: libisofs6 Version: 1.4.6-1 The susp_iter_next() function does the following:
nblocks = DIV_UP(iter->ce_off + iter->ce_len, BLOCK_SIZE); iter->buffer = realloc(iter->buffer, nblocks * BLOCK_SIZE); for (block = 0; block < nblocks; ++block) { /* ... */ } iter->base = iter->buffer + iter->ce_off; (I omitted the boring parts.) An overflow can happen in the computation of nblocks. For example, in the attached ISO file: - iter->ce_off is 4294901808; - iter->ce_len is 65328; - nblocks is computed as 0; - iter->base is set to a bogus pointer. Found using American Fuzzy Lop: http://lcamtuf.coredump.cx/afl/ -- Jakub Wilk
intoverflow.iso.gz
Description: application/gzip