1. clamav-devel
  2. Commit d341e8e5c2ffd6825cd8a3b39362276666fc674b
Browse code

fuzz - 12306 - ARJ decode left shift and int storage checks added

Mickey Sola authored on 2019/01/18 08:49:59
Showing 1 changed files
libclamav/unarj.c
History View file @ d341e8e
... ... 
@@ -163,7 +163,9 @@ static int fill_buf(arj_decode_t *decode_data, int n)
163 163 
 {
164 164 
         if (decode_data->status == CL_EFORMAT)
165 165 
 	    return CL_EFORMAT;
166 
-	decode_data->bit_buf = (decode_data->bit_buf << n) & 0xFFFF;
166 
+    if (((uint64_t) decode_data->bit_buf) * (n > 0 ? 2 << (n - 1) : 0) > UINT32_MAX)
167 
+        return CL_EFORMAT;
168 
+    decode_data->bit_buf = (((uint64_t) decode_data->bit_buf) << n) & 0xFFFF;
167 169 
 	while (n > decode_data->bit_count) {
168 170 
 		decode_data->bit_buf |= decode_data->sub_bit_buf << (n -= decode_data->bit_count);
169 171 
 		if (decode_data->comp_size != 0) {
... ... 
@@ -623,10 +625,34 @@ static int decode(arj_metadata_t *metadata)
623 623 
 	return CL_SUCCESS;
624 624 
 }
625 625
626 
-#define ARJ_BFIL(dd) {dd->getbuf|=dd->bit_buf>>dd->getlen;fill_buf(dd,CODE_BIT-dd->getlen);dd->getlen=CODE_BIT;}
627 
-#define ARJ_GETBIT(dd,c) {if(dd->getlen<=0)ARJ_BFIL(dd) c=(dd->getbuf&0x8000)!=0;dd->getbuf<<=1;dd->getlen--;}
628 
-#define ARJ_BPUL(dd,l) {dd->getbuf<<=l;dd->getlen-=l;}
629 
-#define ARJ_GETBITS(dd,c,l) {if(dd->getlen<l)ARJ_BFIL(dd) c=(uint16_t)dd->getbuf>>(CODE_BIT-l);ARJ_BPUL(dd,l)}
626 
+#define ARJ_BFIL(dd)                             \
627 
+    {                                            \
628 
+        dd->getbuf |= dd->bit_buf >> dd->getlen; \
629 
+        fill_buf(dd, CODE_BIT - dd->getlen);     \
630 
+        dd->getlen = CODE_BIT;                   \
631 
+    }
632 
+#define ARJ_GETBIT(dd, c)                                    \
633 
+    {                                                        \
634 
+        if (dd->getlen <= 0) ARJ_BFIL(dd)                    \
635 
+                             c = (dd->getbuf & 0x8000) != 0; \
636 
+        dd->getbuf *= 2;                                    \
637 
+        dd->getlen--;                                        \
638 
+    }
639 
+#define ARJ_BPUL(dd, l)           \
640 
+    do {                          \
641 
+        int i;                    \
642 
+        int j = l;                \
643 
+        for (i = 0; i < j; i++) { \
644 
+            dd->getbuf *= 2;      \
645 
+        }                         \
646 
+        dd->getlen -= l;          \
647 
+    } while(0)
648 
+#define ARJ_GETBITS(dd, c, l)                                           \
649 
+    {                                                                   \
650 
+        if (dd->getlen < l) ARJ_BFIL(dd)                                \
651 
+                            c = (uint16_t)dd->getbuf >> (CODE_BIT - l); \
652 
+        ARJ_BPUL(dd, l);                                                 \
653 
+    }
630 654
631 655 
 static uint16_t decode_ptr(arj_decode_t *decode_data)
632 656 
 {