Re: [Libmtp-discuss] An integer overflow bug in libmtp

[Marcus M. <ma...@je...>]

Hi,

Please check with current git.

I imported various overflow checks from libgphoto2 

The code in the meantime has:
        if (s > 1024) {
                ptp_debug (params, "customfuncex data is larger than 1k / %d... unexpected?", s);
                return strdup("bad length");
        }

Ciao, Marcus
On Mon, Mar 20, 2017 at 11:19:15AM +0800, wyk...@gm... wrote:
> Hi, I find another integer overflow bug in libmtp:
> 
> Overflow point:
>      static inline char*  ptp_unpack_EOS_CustomFuncEx (PTPParams* params, unsigned char** data )
>      |
>      |->uint32_t s = dtoh32a( *data ); //get an uint32_t number from data
>           uint32_t n = s/4, i;
>           char* str = (char*)malloc( s*2+s/4+1 ); //malloc buffer, if s is very large, it'll overflow leading to malloc a smaller buffer
>           if (!str)
>                return str;
>           char* p = str;
> 
>           for (i=0; i < n; ++i) //copy data, will lead to overwrite
>                p += sprintf(p, "%x,", dtoh32a( *data + 4*i ));
> 
>           return str;
> 
> Trigger:
>      uint16_t  ptp_check_eos_events (PTPParams *params)
>      |
>      |->CHECK_PTP_RC(ptp_canon_eos_getevent (params, &entries, &nrofentries));
>           |
>           |->CHECK_PTP_RC(ptp_transaction(params, &ptp, PTP_DP_GETDATA, 0, &data, &size)); //get data by PTP_DP_GETDATA transaction
>               *nrofentries = ptp_unpack_CANON_changes(params,data,size,entries);
>                |
>                |->dpd->FactoryDefaultValue.str  = ptp_unpack_EOS_CustomFuncEx( params, &xdata );
> 
>     Though there is no calling to ptp_check_eos_events in libmtp, but maybe in some other ways. And the data is controllable, so the overflow in  ptp_unpack_EOS_CustomFuncEx can be triggered.
> 
> Fix:
>     Add checking in ptp_unpack_EOS_CustomFuncEx:
>     + if ( (uint64_t)s * 2 + (uint64_t)s / 4 + 1 >= UINT_MAX)
>     +     return NULL;
>         char* str = (char*)malloc( s*2+s/4+1 );
> 
> 
> 
> wyk...@gm...

> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot

> _______________________________________________
> Libmtp-discuss mailing list
> Lib...@li...
> https://lists.sourceforge.net/lists/listinfo/libmtp-discuss