Package: libisofs6 Version: 1.4.6-1 The susp_iter_next() function does the following:
nblocks = DIV_UP(iter->ce_off + iter->ce_len, BLOCK_SIZE);
iter->buffer = realloc(iter->buffer, nblocks * BLOCK_SIZE);
for (block = 0; block < nblocks; ++block) {
/* ... */
}
iter->base = iter->buffer + iter->ce_off;
(I omitted the boring parts.)
An overflow can happen in the computation of nblocks.
For example, in the attached ISO file:
- iter->ce_off is 4294901808;
- iter->ce_len is 65328;
- nblocks is computed as 0;
- iter->base is set to a bogus pointer.
Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/
--
Jakub Wilk
intoverflow.iso.gz
Description: application/gzip
