[PATCH 1/2] libv4lconvert: Prevent integer overflow by checking width and height

Gregor Jasny <gjasny@xxxxxxxxxxxxxx> · Thu, 27 Jun 2013 23:11:30 +0200

The Mayhem Team found a crash caused by an integer overflow.
Details are here:
http://www.forallsecure.com/bug-reports/8aae67d864bce76993f3f9812b4a2aeea0eb38da/

Signed-off-by: Gregor Jasny <gjasny@xxxxxxxxxxxxxx>
---
 lib/libv4lconvert/ov511-decomp.c | 7 ++++++-
 lib/libv4lconvert/ov518-decomp.c | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/libv4lconvert/ov511-decomp.c b/lib/libv4lconvert/ov511-decomp.c
index 90fc4b1..971d497 100644
--- a/lib/libv4lconvert/ov511-decomp.c
+++ b/lib/libv4lconvert/ov511-decomp.c
@@ -14,6 +14,7 @@
  * Free Software Foundation; version 2 of the License.
  */
 
+#include <limits.h>
 #include <string.h>
 #include <unistd.h>
 #include "helper-funcs.h"
@@ -640,7 +641,11 @@ int main(int argc, char *argv[])
 
 
 		dest_size = width * height * 3 / 2;
-		if (dest_size > sizeof(dest_buf)) {
+		if (width <= 0 || width > SHRT_MAX || height <= 0 || height > SHRT_MAX) {
+			fprintf(stderr, "%s: error: width or height out of bounds\n",
+					argv[0]);
+			dest_size = -1;
+		} else if (dest_size > sizeof(dest_buf)) {
 			fprintf(stderr, "%s: error: dest_buf too small, need: %d\n",
 					argv[0], dest_size);
 			dest_size = -1;
diff --git a/lib/libv4lconvert/ov518-decomp.c b/lib/libv4lconvert/ov518-decomp.c
index 47b5cbb..91d908c 100644
--- a/lib/libv4lconvert/ov518-decomp.c
+++ b/lib/libv4lconvert/ov518-decomp.c
@@ -15,6 +15,7 @@
  * Free Software Foundation; version 2 of the License.
  */
 
+#include <limits.h>
 #include <string.h>
 #include <unistd.h>
 #include "helper-funcs.h"
@@ -1454,7 +1455,11 @@ int main(int argc, char *argv[])
 
 
 		dest_size = width * height * 3 / 2;
-		if (dest_size > sizeof(dest_buf)) {
+		if (width <= 0 || width > SHRT_MAX || height <= 0 || height > SHRT_MAX) {
+			fprintf(stderr, "%s: error: width or height out of bounds\n",
+					argv[0]);
+			dest_size = -1;
+		} else if (dest_size > sizeof(dest_buf)) {
 			fprintf(stderr, "%s: error: dest_buf too small, need: %d\n",
 					argv[0], dest_size);
 			dest_size = -1;
-- 
1.8.3.1

--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html







