Closed GoogleCodeExporter closed 8 years ago
Sorry, sure:
if (buflen > *hdr_len-sizeof(char)-sizeof(int))
return NULL;
Original comment by nuclear...@gmail.com
on 30 Sep 2009 at 1:15
Try this patch against libsqtlv/tlv.c :
Index: tlv.c
===================================================================
--- tlv.c (revision 14309)
+++ tlv.c (working copy)
@@ -59,6 +59,11 @@
xmemcpy(&buflen, &buf[j], sizeof(int));
j += sizeof(int);
+ if (buflen > (*hdr_len) - sizeof(char) - sizeof(int)) {
+ debug(20, 0) ("tlv_unpack: unable to unpack: passed buffer size %d
bytes; TLV length %d bytes; header prefix size %d
bytes\n", buflen, *hdr_len, (int) (sizeof(char) + sizeof(int)));
+ return NULL;
+ }
+
/*
* sanity check on 'buflen' value. It should be at least big
* enough to hold one type and one length.
Original comment by adrian.c...@gmail.com
on 2 Oct 2009 at 4:03
Yes it is working fine. Here is what i got as example in logs on corrupted
files:
2009/10/04 02:31:00| tlv_unpack: unable to unpack: passed buffer size 1545
bytes; TLV
length 1024 bytes; header prefix size 5 bytes
2009/10/04 02:31:06| tlv_unpack: unable to unpack: passed buffer size 1529
bytes; TLV
length 1024 bytes; header prefix size 5 bytes
2009/10/04 02:31:09| tlv_unpack: unable to unpack: passed buffer size 1333
bytes; TLV
length 1024 bytes; header prefix size 5 bytes
2009/10/04 02:31:15| tlv_unpack: unable to unpack: passed buffer size 2047
bytes; TLV
length 1024 bytes; header prefix size 5 bytes
2009/10/04 02:31:25| tlv_unpack: unable to unpack: passed buffer size 1333
bytes; TLV
length 1024 bytes; header prefix size 5 bytes
2009/10/04 02:31:29| tlv_unpack: unable to unpack: passed buffer size 1022
bytes; TLV
length 1024 bytes; header prefix size 5 bytes
2009/10/04 02:31:58| tlv_unpack: unable to unpack: passed buffer size 1174
bytes; TLV
length 1024 bytes; header prefix size 5 bytes
2009/10/04 02:31:59| tlv_unpack: unable to unpack: passed buffer size 2044
bytes; TLV
length 1024 bytes; header prefix size 5 bytes
Original comment by nuclear...@gmail.com
on 3 Oct 2009 at 11:32
committed, revision r14313. thanks!
Original comment by adrian.c...@gmail.com
on 4 Oct 2009 at 1:57
Original issue reported on code.google.com by
nuclear...@gmail.com
on 30 Sep 2009 at 1:12