-
Notifications
You must be signed in to change notification settings - Fork 466
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added overflow check for CVE-2021-29338 #1396
Conversation
…press, opj_dump. See comment on commit 79c7d7a.
Removed automatically generated settings.json
I saw your comment, but calloc() should really check for the overflow. I'd expect only old and unmaintained platform to have a buggy implementation and we probably don't care about them. Or said otherwise: can you quote one recent enough platform of interest whose calloc() wouldn't check the overflow of the multiplication of the argument ? |
ok, answering myself I see the list is in the link : https://www.avertium.com/blog/overview-badalloc-vulnerabilities. |
Rodger that, just wanted to bring some attention to the topic since I had seen the update and I had done some research on the topic. |
I forgot to point out there still is an integer overflow in the following for loops, it was mentioned in my comment on 79c7d7a: This for loop can produce similar behavior to the original CVE. |
Specifically when the strcpy function is called in the load_images function. |
casting the iterator i / it_image to size_t before doing the multiplication should fix it, right ? I could take such a fix if you want to issue a PR with it (I don't think this PR protects against that) |
Forgive me for the repeated comment I haven't looked at this in a while and now that I am digging into it I am finding all of the issues that lead to the fix I tried to push originally:
}' the maximum number of file in a dir in windows 10 is equal to SIZE_MAX, meaning that the signed integer operation will overflow if the number of files in the dir is > 2147483647. The integer will wrap and the calloc will allocate an amount of memory. The cast to size_t to fix the multiplication will still have an integer overflow error. The original solution prevents all of this by ensuring that num_images is < SIZE_MAX/(OPJ_PATH_LEN* 8) and I added a check to ensure num_images is not negative, resulting in unintended execution. |
that's really a theoretical concern... In any case if we wanted to address this, this would need to be checked in get_num_images() before the overflow occurs |
I understand that the the concern is theoretical and unrealistic for normal use. It is however a very exploitable path and a real security vulnerability. It's the same exploitation path as the original CVE just with a larger number of files. Point to a dir with enough named files to create the overflow, use the file names to inject data onto the stack as the are read in past the end of the allocated memory. |
Should I move the check for num_images to the get_num_images function? Also are you suggesting the function should throw an error and exit? or are we adding a flag for overflow and checking the result? |
I'd prefer first that the scope of this PR is only to add the (size_t) casts so that we keep focus on one thing at a time For another PR to address the overflow in get_num_images, I would just break from the for loop in get_num_images before the overflow of the counter occurs. |
Rodger that, I will fix this PR to just add the casts. I will open a separate pull request down the line for the get_num_images. |
Thanks for the assist, Sorry for spamming the commits. |
Added a multiplication check before the call to calloc, see my comment on 79c7d7a