search

stcorp / coda

The Common Data Access toolset
http://stcorp.github.io/coda/doc/html/index.html
BSD 3-Clause "New" or "Revised" License
39 stars 17 forks source link

coda-definition-parse: oom reading zip #82

Closed schwehr closed 4 years ago

schwehr commented 4 years ago

This is likely another case where there could be an extra check on a zip file.

    #8 0x559a403037d3 in get_product_class_revision third_party/stcorp_coda/libcoda/coda-definition-parse.c:2770:14
    #9 0x559a403007b1 in cd_product_class_init third_party/stcorp_coda/libcoda/coda-definition-parse.c:2808:9
    #10 0x559a40300230 in push_node third_party/stcorp_coda/libcoda/coda-definition-parse.c:3895:13
    #11 0x559a402ff711 in start_element_handler third_party/stcorp_coda/libcoda/coda-definition-parse.c:4001:9
    #12 0x559a404ab7d2 in doContent third_party/expat/lib/xmlparse.c:2755:9
    #13 0x559a4049bbdb in contentProcessor third_party/expat/lib/xmlparse.c:2445:9
    #14 0x559a40490674 in doProlog third_party/expat/lib/xmlparse.c:4371:14
    #15 0x559a4048748b in prologProcessor third_party/expat/lib/xmlparse.c:4094:10
    #16 0x559a40487003 in prologInitProcessor third_party/expat/lib/xmlparse.c:3920:10
    #17 0x559a4048478f in XML_ParseBuffer third_party/expat/lib/xmlparse.c:1893:25
    #18 0x559a40483162 in XML_Parse third_party/expat/lib/xmlparse.c:1857:14
    #19 0x559a402fdb5d in parse_entry third_party/stcorp_coda/libcoda/coda-definition-parse.c:4218:14
    #20 0x559a402fe9f9 in read_definition_file third_party/stcorp_coda/libcoda/coda-definition-parse.c:4263:9
    #21 0x559a402fe7c0 in coda_read_definitions third_party/stcorp_coda/libcoda/coda-definition-parse.c:4471:21
    #22 0x559a4028cc89 in LLVMFuzzerTestOneInput third_party/stcorp_coda/fuzz/coda_read_definitions_fuzzer.cc:19:3

This in coda-definition-parse.c prevents the oom:

    entry = za_get_entry_by_name(info->zf, "VERSION");
    if (entry == NULL)
    {
        /* no version number available -> use revision number 0 */
        *revision = 0;
        return 0;
    }
    filesize = za_get_entry_size(entry);
    if (filesize == 0)
    {
        /* no version number available -> use revision number 0 */
        *revision = 0;
        return 0;
    }
    // BEGIN MODIFICATION
    if (filesize > 1000000) {
        coda_set_error(CODA_ERROR_OUT_OF_MEMORY, "too large %lu (%s:%u)",
                       (long)filesize + 1, __FILE__, __LINE__);
        return -1;
    }
    // END MODIFICATION
    buffer = malloc(filesize + 1);
    if (buffer == NULL)
    {
        coda_set_error(CODA_ERROR_OUT_OF_MEMORY, "out of memory (could not allocate %lu bytes) (%s:%u)",

oom-7d873847c323d2593b87a3b30f93023ca231baa7.zip

svniemeijer commented 4 years ago

Should be fixed in cc836c0f30c9dfd8faf13f3a95c168cfd75cfc20. We were not checking the sizes for uncompressed entries properly.