Potential Integer Overflow vulnerability in src/ctjhai/minimum-weight.c

gap-packages / guava

GAP package guava - computations relative to error-correcting codes

https://gap-packages.github.io/guava

Other

13 stars 7 forks source link

Potential Integer Overflow vulnerability in src/ctjhai/minimum-weight.c #57

Open KSB21ST opened 3 years ago

KSB21ST commented 3 years ago

Hi, It seems that there exists a potential integer overflow. Please find the following description:

M->cols can be an arbitrary large number https://github.com/gap-packages/guava/blob/685d1d5c1b531ea9d52dc0521092c80b2cc9d877/src/ctjhai/minimum-weight.c#L147
Call to malloc with the large integer can cause a memory allocation with an overflowed size https://github.com/gap-packages/guava/blob/685d1d5c1b531ea9d52dc0521092c80b2cc9d877/src/ctjhai/minimum-weight.c#L152

osj1961 commented 2 years ago

Related to another issue where ctjhai's code returns wrong minimum distance results for codes with very long lengths. We should set and document a maximum length -- can switch to using long ints to allow for a pretty huge size -- and include a check before calling malloc (better yet, before even calling the C code).