33 lines
1.1 KiB
Diff
33 lines
1.1 KiB
Diff
|
From bfac6031ab075834183c9f18b28363d11b99e44a Mon Sep 17 00:00:00 2001
|
||
|
From: Sumit Bose <sbose@redhat.com>
|
||
|
Date: Tue, 7 Dec 2010 17:01:04 +0100
|
||
|
Subject: Add overflow check to SAFEALIGN_COPY_*_CHECK macros
|
||
|
|
||
|
CVE-2010-4341
|
||
|
bnc#660481
|
||
|
|
||
|
diff --git a/src/util/util.h b/src/util/util.h
|
||
|
index 7c35550..50c5fe2 100644
|
||
|
--- a/src/util/util.h
|
||
|
+++ b/src/util/util.h
|
||
|
@@ -207,12 +207,14 @@ safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter)
|
||
|
SAFEALIGN_SET_VALUE(dest, value, uint16_t, pctr)
|
||
|
|
||
|
#define SAFEALIGN_COPY_UINT32_CHECK(dest, src, len, pctr) do { \
|
||
|
- if ((*(pctr) + sizeof(uint32_t)) > (len)) return EINVAL; \
|
||
|
+ if ((*(pctr) + sizeof(uint32_t)) > (len) || \
|
||
|
+ SIZE_T_OVERFLOW(*(pctr), sizeof(uint32_t))) return EINVAL; \
|
||
|
safealign_memcpy(dest, src, sizeof(uint32_t), pctr); \
|
||
|
} while(0)
|
||
|
|
||
|
#define SAFEALIGN_COPY_INT32_CHECK(dest, src, len, pctr) do { \
|
||
|
- if ((*(pctr) + sizeof(int32_t)) > (len)) return EINVAL; \
|
||
|
+ if ((*(pctr) + sizeof(int32_t)) > (len) || \
|
||
|
+ SIZE_T_OVERFLOW(*(pctr), sizeof(int32_t))) return EINVAL; \
|
||
|
safealign_memcpy(dest, src, sizeof(int32_t), pctr); \
|
||
|
} while(0)
|
||
|
|
||
|
--
|
||
|
1.7.3.2
|
||
|
|