search

jmacd / xdelta

open-source binary diff, delta/differential compression tools, VCDIFF/RFC 3284 delta compression
http://xdelta.org
1.11k stars 185 forks source link

Integer overflows in allocations #232

Open setharnold opened 7 years ago

setharnold commented 7 years ago

Hello, I gave xdelta3 a very quick look as part of the Ubuntu main inclusion process: https://bugs.launchpad.net/ubuntu/+source/xdelta3/+bug/1647222

I found several instances of integers being multiplied together without any obvious bounds checking to ensure that integer overflows aren't triggered:

static void*
__xd3_alloc_func (void* opaque, size_t items, usize_t size)
{
  return malloc (items * (size_t) size);
}
static void*
main_alloc (void   *opaque,
            size_t  items,
            usize_t  size)
{
  return main_malloc1 (items * size);
}
static void
setup_environment (int argc,
                   char **argv,
                   int *argc_out,
                   char ***argv_out,
                   char ***argv_free,
                   char **env_free)
{
  int n, i, i0;
  char *p, *v = getenv("XDELTA");
  if (v == NULL) {
    (*argc_out) = argc;
    (*argv_out) = argv;
    (*argv_free) = NULL;
    (*env_free) = NULL;
    return;
  }

  (*env_free) = (char*) main_malloc((usize_t) strlen(v) + 1);
  strcpy(*env_free, v);

  /* Space needed for extra args, at least # of spaces */
  n = argc + 1;
  for (p = *env_free; *p != 0; ) {
    if (*p++ == ' ') {
      n++;
    }
  }

  (*argv_free) = (char**) main_malloc(sizeof(char*) * (n + 1));
[...]

Do any of these functions operation on data that may not be completely trusted?

The calloc(3) function properly handles multiplication overflow; switching to it would be a good idea.

Thanks

i30817 commented 6 years ago

If you're trying to make a xdelta package, are you also going to distribute it as a library? Several interpreter binding projects exist and have to built it on some fashion already.

this for python, a rust crate etc....

I actually really wish the python binding could be a pure python port. It's the only reason my cli utility doesn't install on windows pypi/pip3. According to the author it's really hard to build native libraries python bindings so they work on all distros (they have a hack with a ancient version of centos on a container building against a old clib or something) and the maintainer also doesn't want to built for windows.

This was also my experience with rar. It was much much easier to use the outdated java port and have it work on all platforms than use upstream sadly.