From: Marcus M. <ma...@je...> - 2017-03-20 06:17:33
|
Hi, Please check with current git. I imported various overflow checks from libgphoto2 The code in the meantime has: if (s > 1024) { ptp_debug (params, "customfuncex data is larger than 1k / %d... unexpected?", s); return strdup("bad length"); } Ciao, Marcus On Mon, Mar 20, 2017 at 11:19:15AM +0800, wyk...@gm... wrote: > Hi, I find another integer overflow bug in libmtp: > > Overflow point: > static inline char* ptp_unpack_EOS_CustomFuncEx (PTPParams* params, unsigned char** data ) > | > |->uint32_t s = dtoh32a( *data ); //get an uint32_t number from data > uint32_t n = s/4, i; > char* str = (char*)malloc( s*2+s/4+1 ); //malloc buffer, if s is very large, it'll overflow leading to malloc a smaller buffer > if (!str) > return str; > char* p = str; > > for (i=0; i < n; ++i) //copy data, will lead to overwrite > p += sprintf(p, "%x,", dtoh32a( *data + 4*i )); > > return str; > > Trigger: > uint16_t ptp_check_eos_events (PTPParams *params) > | > |->CHECK_PTP_RC(ptp_canon_eos_getevent (params, &entries, &nrofentries)); > | > |->CHECK_PTP_RC(ptp_transaction(params, &ptp, PTP_DP_GETDATA, 0, &data, &size)); //get data by PTP_DP_GETDATA transaction > *nrofentries = ptp_unpack_CANON_changes(params,data,size,entries); > | > |->dpd->FactoryDefaultValue.str = ptp_unpack_EOS_CustomFuncEx( params, &xdata ); > > Though there is no calling to ptp_check_eos_events in libmtp, but maybe in some other ways. And the data is controllable, so the overflow in ptp_unpack_EOS_CustomFuncEx can be triggered. > > Fix: > Add checking in ptp_unpack_EOS_CustomFuncEx: > + if ( (uint64_t)s * 2 + (uint64_t)s / 4 + 1 >= UINT_MAX) > + return NULL; > char* str = (char*)malloc( s*2+s/4+1 ); > > > > wyk...@gm... > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Libmtp-discuss mailing list > Lib...@li... > https://lists.sourceforge.net/lists/listinfo/libmtp-discuss |