From bfac6031ab075834183c9f18b28363d11b99e44a Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 7 Dec 2010 17:01:04 +0100 Subject: Add overflow check to SAFEALIGN_COPY_*_CHECK macros CVE-2010-4341 bnc#660481 diff --git a/src/util/util.h b/src/util/util.h index 7c35550..50c5fe2 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -207,12 +207,14 @@ safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter) SAFEALIGN_SET_VALUE(dest, value, uint16_t, pctr) #define SAFEALIGN_COPY_UINT32_CHECK(dest, src, len, pctr) do { \ - if ((*(pctr) + sizeof(uint32_t)) > (len)) return EINVAL; \ + if ((*(pctr) + sizeof(uint32_t)) > (len) || \ + SIZE_T_OVERFLOW(*(pctr), sizeof(uint32_t))) return EINVAL; \ safealign_memcpy(dest, src, sizeof(uint32_t), pctr); \ } while(0) #define SAFEALIGN_COPY_INT32_CHECK(dest, src, len, pctr) do { \ - if ((*(pctr) + sizeof(int32_t)) > (len)) return EINVAL; \ + if ((*(pctr) + sizeof(int32_t)) > (len) || \ + SIZE_T_OVERFLOW(*(pctr), sizeof(int32_t))) return EINVAL; \ safealign_memcpy(dest, src, sizeof(int32_t), pctr); \ } while(0) -- 1.7.3.2