Browse code
fuzz - 12251 - fixing left shifting issue with upx decoding when determining back offsets
Mickey Sola authored on 2019/01/16 04:52:26Showing 1 changed files
| ... | ... |
@@ -317,6 +317,8 @@ int upx_inflate2b(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u |
| 317 | 317 |
while (1) {
|
| 318 | 318 |
if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1 ) |
| 319 | 319 |
return -1; |
| 320 |
+ if (backbytes + oob > INT32_MAX / 2) |
|
| 321 |
+ return -1; |
|
| 320 | 322 |
backbytes = backbytes*2+oob; |
| 321 | 323 |
if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1 ) |
| 322 | 324 |
return -1; |
| ... | ... |
@@ -330,6 +332,8 @@ int upx_inflate2b(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u |
| 330 | 330 |
|
| 331 | 331 |
if (scur>=ssize) |
| 332 | 332 |
return -1; |
| 333 |
+ if (backbytes & 0xff000000) |
|
| 334 |
+ return -1; |
|
| 333 | 335 |
backbytes<<=8; |
| 334 | 336 |
backbytes+=(unsigned char)(src[scur++]); |
| 335 | 337 |
backbytes^=0xffffffff; |
| ... | ... |
@@ -343,16 +347,22 @@ int upx_inflate2b(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u |
| 343 | 343 |
return -1; |
| 344 | 344 |
if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1) |
| 345 | 345 |
return -1; |
| 346 |
+ if (backsize + oob > UINT32_MAX / 2) |
|
| 347 |
+ return -1; |
|
| 346 | 348 |
backsize = backsize*2 + oob; |
| 347 | 349 |
if (!backsize) {
|
| 348 | 350 |
backsize++; |
| 349 | 351 |
do {
|
| 350 | 352 |
if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1) |
| 351 | 353 |
return -1; |
| 354 |
+ if (backsize + oob > UINT32_MAX / 2) |
|
| 355 |
+ return -1; |
|
| 352 | 356 |
backsize = backsize*2 + oob; |
| 353 | 357 |
} while ((oob = doubleebx(src, &myebx, &scur, ssize)) == 0); |
| 354 | 358 |
if ( oob == -1 ) |
| 355 | 359 |
return -1; |
| 360 |
+ if (backsize + 2 > UINT32_MAX) |
|
| 361 |
+ return -1; |
|
| 356 | 362 |
backsize+=2; |
| 357 | 363 |
} |
| 358 | 364 |
|
| ... | ... |
@@ -392,6 +402,8 @@ int upx_inflate2d(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u |
| 392 | 392 |
while (1) {
|
| 393 | 393 |
if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1 ) |
| 394 | 394 |
return -1; |
| 395 |
+ if (backbytes + oob > INT32_MAX / 2) |
|
| 396 |
+ return -1; |
|
| 395 | 397 |
backbytes = backbytes*2+oob; |
| 396 | 398 |
if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1 ) |
| 397 | 399 |
return -1; |
| ... | ... |
@@ -410,6 +422,8 @@ int upx_inflate2d(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u |
| 410 | 410 |
|
| 411 | 411 |
if (scur>=ssize) |
| 412 | 412 |
return -1; |
| 413 |
+ if (backbytes & 0xff000000) |
|
| 414 |
+ return -1; |
|
| 413 | 415 |
backbytes<<=8; |
| 414 | 416 |
backbytes+=(unsigned char)(src[scur++]); |
| 415 | 417 |
backbytes^=0xffffffff; |
| ... | ... |
@@ -426,16 +440,22 @@ int upx_inflate2d(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u |
| 426 | 426 |
|
| 427 | 427 |
if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1 ) |
| 428 | 428 |
return -1; |
| 429 |
+ if (backsize + oob > UINT32_MAX / 2) |
|
| 430 |
+ return -1; |
|
| 429 | 431 |
backsize = backsize*2 + oob; |
| 430 | 432 |
if (!backsize) {
|
| 431 | 433 |
backsize++; |
| 432 | 434 |
do {
|
| 433 | 435 |
if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1 ) |
| 434 | 436 |
return -1; |
| 437 |
+ if (backsize + oob > UINT32_MAX / 2) |
|
| 438 |
+ return -1; |
|
| 435 | 439 |
backsize = backsize*2 + oob; |
| 436 | 440 |
} while ( (oob = doubleebx(src, &myebx, &scur, ssize)) == 0); |
| 437 | 441 |
if ( oob == -1 ) |
| 438 | 442 |
return -1; |
| 443 |
+ if (backsize + 2 > UINT32_MAX) |
|
| 444 |
+ return -1; |
|
| 439 | 445 |
backsize+=2; |
| 440 | 446 |
} |
| 441 | 447 |
|
| ... | ... |
@@ -473,6 +493,8 @@ int upx_inflate2e(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u |
| 473 | 473 |
for(;;) {
|
| 474 | 474 |
if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1 ) |
| 475 | 475 |
return -1; |
| 476 |
+ if (backbytes + oob > INT32_MAX / 2) |
|
| 477 |
+ return -1; |
|
| 476 | 478 |
backbytes = backbytes*2+oob; |
| 477 | 479 |
if ( (oob = doubleebx(src, &myebx, &scur, ssize)) == -1 ) |
| 478 | 480 |
return -1; |
| ... | ... |
@@ -490,6 +512,8 @@ int upx_inflate2e(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u |
| 490 | 490 |
|
| 491 | 491 |
if (scur>=ssize) |
| 492 | 492 |
return -1; |
| 493 |
+ if (backbytes & 0xff000000) |
|
| 494 |
+ return -1; |
|
| 493 | 495 |
backbytes<<=8; |
| 494 | 496 |
backbytes+=(unsigned char)(src[scur++]); |
| 495 | 497 |
backbytes^=0xffffffff; |
| ... | ... |
@@ -514,15 +538,21 @@ int upx_inflate2e(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u |
| 514 | 514 |
if (oob) {
|
| 515 | 515 |
if ((oob = doubleebx(src, &myebx, &scur, ssize)) == -1) |
| 516 | 516 |
return -1; |
| 517 |
+ if (backsize + oob > UINT32_MAX / 2) |
|
| 518 |
+ return -1; |
|
| 517 | 519 |
backsize = 2 + oob; |
| 518 | 520 |
} else {
|
| 519 | 521 |
do {
|
| 520 | 522 |
if ((oob = doubleebx(src, &myebx, &scur, ssize)) == -1) |
| 521 | 523 |
return -1; |
| 524 |
+ if (backsize + oob > UINT32_MAX / 2) |
|
| 525 |
+ return -1; |
|
| 522 | 526 |
backsize = backsize * 2 + oob; |
| 523 | 527 |
} while ((oob = doubleebx(src, &myebx, &scur, ssize)) == 0); |
| 524 | 528 |
if (oob == -1) |
| 525 | 529 |
return -1; |
| 530 |
+ if (backsize + 2 > UINT32_MAX) |
|
| 531 |
+ return -1; |
|
| 526 | 532 |
backsize+=2; |
| 527 | 533 |
} |
| 528 | 534 |
} |
| ... | ... |
@@ -530,6 +560,8 @@ int upx_inflate2e(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u |
| 530 | 530 |
if ( (uint32_t)unp_offset < 0xfffffb00 ) |
| 531 | 531 |
backsize++; |
| 532 | 532 |
|
| 533 |
+ if (backsize + 2 > UINT32_MAX) |
|
| 534 |
+ return -1; |
|
| 533 | 535 |
backsize+=2; |
| 534 | 536 |
|
| 535 | 537 |
if (!CLI_ISCONTAINED(dst, *dsize, dst+dcur+unp_offset, backsize) || !CLI_ISCONTAINED(dst, *dsize, dst+dcur, backsize) || unp_offset >=0 ) |