1. clamav-devel
  2. Commit 40c0b110dd2a23ab0b6c1b2f205eb47c38b202ff
Browse code

fuzz - 12194 - adding missed backbytes check to upx and casting to ensuring more explicit size

Mickey Sola authored on 2019/02/01 06:52:21
Showing 1 changed files
libclamav/upx.c
History View file @ 40c0b11
... ... 
@@ -317,8 +317,8 @@ int upx_inflate2b(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u
317 317 
     while (1) {
318 318 
       if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1 )
319 319 
         return -1;
320 
-            if (backbytes + oob > INT32_MAX / 2)
321 
-                return -1;
320 
+      if (((int64_t) backbytes + oob ) > INT32_MAX / 2)
321 
+        return -1;
322 322 
       backbytes = backbytes*2+oob;
323 323 
       if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1 )
324 324 
 	return -1;
... ... 
@@ -402,8 +402,8 @@ int upx_inflate2d(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u
402 402 
     while (1) {
403 403 
       if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1 )
404 404 
         return -1;
405 
-            if (backbytes + oob > INT32_MAX / 2)
406 
-                return -1;
405 
+      if (((int64_t) backbytes + oob ) > INT32_MAX / 2)
406 
+        return -1;
407 407 
       backbytes = backbytes*2+oob;
408 408 
       if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1 )
409 409 
         return -1;
... ... 
@@ -412,6 +412,8 @@ int upx_inflate2d(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u
412 412 
       backbytes--;
413 413 
       if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1 )
414 414 
         return -1;
415 
+      if (((int64_t) backbytes + oob ) > INT32_MAX / 2)
416 
+        return -1;
415 417 
       backbytes=backbytes*2+oob;
416 418 
     }
417 419
... ... 
@@ -493,8 +495,8 @@ int upx_inflate2e(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u
493 493 
     for(;;) {
494 494 
       if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1 )
495 495 
         return -1;
496 
-            if (backbytes + oob > INT32_MAX / 2)
497 
-                return -1;
496 
+      if (((int64_t) backbytes + oob ) > INT32_MAX / 2)
497 
+        return -1;
498 498 
       backbytes = backbytes*2+oob;
499 499 
       if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1 )
500 500 
         return -1;
... ... 
@@ -503,6 +505,8 @@ int upx_inflate2e(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u
503 503 
       backbytes--;
504 504 
       if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1 )
505 505 
         return -1;
506 
+      if (((int64_t) backbytes + oob ) > INT32_MAX / 2)
507 
+        return -1;
506 508 
       backbytes=backbytes*2+oob;
507 509 
     }
508 510