An integer overflow causes an out-of-bounds read that results in
a crash. The crash may occur when using the optional
Data-Loss-Prevention (DLP) feature to block content that contains credit
card numbers. This commit fixes the issue by using a signed index variable.
... | ... |
@@ -176,6 +176,7 @@ int dlp_is_valid_cc(const unsigned char *buffer, size_t length) |
176 | 176 |
int mult = 0; |
177 | 177 |
int sum = 0; |
178 | 178 |
size_t i = 0; |
179 |
+ ssize_t j = 0; |
|
179 | 180 |
int val = 0; |
180 | 181 |
int digits = 0; |
181 | 182 |
char cc_digits[20]; |
... | ... |
@@ -232,9 +233,11 @@ int dlp_is_valid_cc(const unsigned char *buffer, size_t length) |
232 | 232 |
if (digits < 13 || (i < length && isdigit(buffer[i]))) |
233 | 233 |
return 0; |
234 | 234 |
|
235 |
+ j = (ssize_t)i; |
|
236 |
+ |
|
235 | 237 |
//figure out luhn digits |
236 |
- for (i = digits - 1; i >= 0; i--) { |
|
237 |
- val = cc_digits[i] - '0'; |
|
238 |
+ for (j = digits - 1; j >= 0; j--) { |
|
239 |
+ val = cc_digits[j] - '0'; |
|
238 | 240 |
if (mult) { |
239 | 241 |
if ((val *= 2) > 9) val -= 9; |
240 | 242 |
} |