Fixed some infinite loops that a maliciously-crafted .iso can trigger.
These bugs exposed by American Fuzzy Lop (AFL), a powerful fuzzer. http://lcamtuf.coredump.cx/afl/ (transplanted from 4f1bf89597e5b76c1c317fbeb2b472481090b4e4)
This commit is contained in:
parent
b9fd9e8100
commit
b8aa7dab87
|
@ -151,18 +151,25 @@ static int iso9660LoadEntries(PHYSFS_Io *io, const int joliet,
|
||||||
|
|
||||||
/* recordlen = 0 -> no more entries or fill entry */
|
/* recordlen = 0 -> no more entries or fill entry */
|
||||||
BAIL_IF_ERRPASS(!__PHYSFS_readAll(io, &recordlen, 1), 0);
|
BAIL_IF_ERRPASS(!__PHYSFS_readAll(io, &recordlen, 1), 0);
|
||||||
if (recordlen == 0)
|
if (recordlen > 0)
|
||||||
|
readpos += recordlen; /* ready to seek to next record. */
|
||||||
|
else
|
||||||
{
|
{
|
||||||
|
PHYSFS_uint64 nextpos;
|
||||||
|
|
||||||
/* if we are in the last sector of the directory & it's 0 -> end */
|
/* if we are in the last sector of the directory & it's 0 -> end */
|
||||||
if ((dirend - 2048) <= (readpos - 1))
|
if ((dirend - 2048) <= (readpos - 1))
|
||||||
break; /* finished */
|
break; /* finished */
|
||||||
|
|
||||||
/* else skip to the next sector & continue; */
|
/* else skip to the next sector & continue; */
|
||||||
readpos = (((readpos - 1) / 2048) + 1) * 2048;
|
nextpos = (((readpos - 1) / 2048) + 1) * 2048;
|
||||||
continue;
|
|
||||||
} /* if */
|
|
||||||
|
|
||||||
readpos += recordlen; /* ready to seek to next record. */
|
/* whoops, can't make forward progress! */
|
||||||
|
BAIL_IF(nextpos == readpos, PHYSFS_ERR_CORRUPT, 0);
|
||||||
|
|
||||||
|
readpos = nextpos;
|
||||||
|
continue; /* start back at upper loop. */
|
||||||
|
} /* else */
|
||||||
|
|
||||||
BAIL_IF_ERRPASS(!__PHYSFS_readAll(io, &extattrlen, 1), 0);
|
BAIL_IF_ERRPASS(!__PHYSFS_readAll(io, &extattrlen, 1), 0);
|
||||||
BAIL_IF_ERRPASS(!__PHYSFS_readAll(io, &extent, 4), 0);
|
BAIL_IF_ERRPASS(!__PHYSFS_readAll(io, &extent, 4), 0);
|
||||||
|
@ -203,6 +210,10 @@ static int iso9660LoadEntries(PHYSFS_Io *io, const int joliet,
|
||||||
timestamp = (PHYSFS_sint64) mktime(&t);
|
timestamp = (PHYSFS_sint64) mktime(&t);
|
||||||
|
|
||||||
extent += extattrlen; /* skip extended attribute record. */
|
extent += extattrlen; /* skip extended attribute record. */
|
||||||
|
|
||||||
|
/* infinite loop, corrupt file? */
|
||||||
|
BAIL_IF((extent * 2048) == dirstart, PHYSFS_ERR_CORRUPT, 0);
|
||||||
|
|
||||||
if (!iso9660AddEntry(io, joliet, isdir, base, fname, fnamelen,
|
if (!iso9660AddEntry(io, joliet, isdir, base, fname, fnamelen,
|
||||||
timestamp, extent * 2048, datalen, unpkarc))
|
timestamp, extent * 2048, datalen, unpkarc))
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in New Issue