Read Time:24 Second

Posted by Erg Noor on Mar 02

Hi,

Trivial overflow in hfslib_reada_node_offset, while loop has no range
checks.

|size_t hfslib_reada_node_offsets(void* in_bytes, uint16_t*
out_offset_array) { void* ptr; if (in_bytes == NULL || out_offset_array
== NULL) return 0; ptr = in_bytes; out_offset_array–; do {
out_offset_array++; *out_offset_array = be16tohp(&ptr); } while
(*out_offset_array != (uint16_t)14); return ((uint8_t*)ptr –
(uint8_t*)in_bytes); }|

Repro is here…

Read More

More Stories