1. clamav-devel
  2. Commit 7f9fc68e1cf8878320a1b0ce828b80b860436695
Browse code

bb12449: Fix for out-of-bounds read in DLP feature

An integer overflow causes an out-of-bounds read that results in
a crash. The crash may occur when using the optional
Data-Loss-Prevention (DLP) feature to block content that contains credit
card numbers. This commit fixes the issue by using a signed index variable.

Micah Snyder (micasnyd) authored on 2020/01/23 10:57:07
Showing 1 changed files
libclamav/dlp.c
History View file @ 7f9fc68
... ... 
@@ -176,6 +176,7 @@ int dlp_is_valid_cc(const unsigned char *buffer, size_t length)
176 176 
     int mult   = 0;
177 177 
     int sum    = 0;
178 178 
     size_t i   = 0;
179 
+    ssize_t j  = 0;
179 180 
     int val    = 0;
180 181 
     int digits = 0;
181 182 
     char cc_digits[20];
... ... 
@@ -232,9 +233,11 @@ int dlp_is_valid_cc(const unsigned char *buffer, size_t length)
232 232 
     if (digits < 13 || (i < length && isdigit(buffer[i])))
233 233 
         return 0;
234 234
235 
+    j = (ssize_t)i;
236 
+
235 237 
     //figure out luhn digits
236 
-    for (i = digits - 1; i >= 0; i--) {
237 
-        val = cc_digits[i] - '0';
238 
+    for (j = digits - 1; j >= 0; j--) {
239 
+        val = cc_digits[j] - '0';
238 240 
         if (mult) {
239 241 
             if ((val *= 2) > 9) val -= 9;
240 242 
         }