Group :: Ferramentas de Arquivo
RPM: libevt
Main Changelog Spec Patches Sources Download Gear Bugs e FR Repocop
Patch: upstream-CVE-2018-8754.patch
Download
Download
From 9d2cc3ca0a1612a6b271abcacffc2e3eea42925e Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Sat, 17 Mar 2018 08:35:13 +0100
Subject: [PATCH] Applied updates and addition boundary checks for corrupted
data
---
configure.ac | 14 +++----
libevt.nuspec | 4 +-
libevt/libevt_libfvalue.h | 1 +
libevt/libevt_record_values.c | 35 ++++++++++++++++-
m4/libcdata.m4 | 44 ++++++++++++++++++++-
m4/libcsplit.m4 | 4 +-
m4/libfdata.m4 | 73 ++++++++++++++++++++++++++++++++++-
runtests.sh | 23 ++++++++++-
8 files changed, 182 insertions(+), 16 deletions(-)
diff --git a/libevt/libevt_libfvalue.h b/libevt/libevt_libfvalue.h
index fb914f4..4dc9a4e 100644
--- a/libevt/libevt_libfvalue.h
+++ b/libevt/libevt_libfvalue.h
@@ -29,6 +29,7 @@
#if defined( HAVE_LOCAL_LIBFVALUE )
#include <libfvalue_codepage.h>
+#include <libfvalue_data_handle.h>
#include <libfvalue_definitions.h>
#include <libfvalue_floating_point.h>
#include <libfvalue_integer.h>
diff --git a/libevt/libevt_record_values.c b/libevt/libevt_record_values.c
index 879dff2..c8f46a3 100644
--- a/libevt/libevt_record_values.c
+++ b/libevt/libevt_record_values.c
@@ -1157,6 +1157,17 @@ int libevt_record_values_read_event(
}
if( user_sid_size != 0 )
{
+ if( user_sid_size > ( ( record_data_size - 4 ) - user_sid_offset ) )
+ {
+ libcerror_error_set(
+ error,
+ LIBCERROR_ERROR_DOMAIN_RUNTIME,
+ LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
+ "%s: user SID data size value out of bounds.",
+ function );
+
+ goto on_error;
+ }
if( libfvalue_value_type_initialize(
&( record_values->user_security_identifier ),
LIBFVALUE_VALUE_TYPE_NT_SECURITY_IDENTIFIER,
@@ -1218,6 +1229,17 @@ int libevt_record_values_read_event(
}
if( strings_size != 0 )
{
+ if( strings_size > ( ( record_data_size - 4 ) - strings_offset ) )
+ {
+ libcerror_error_set(
+ error,
+ LIBCERROR_ERROR_DOMAIN_RUNTIME,
+ LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
+ "%s: strings size value out of bounds.",
+ function );
+
+ goto on_error;
+ }
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
@@ -1285,6 +1307,17 @@ int libevt_record_values_read_event(
}
if( data_size != 0 )
{
+ if( data_size > ( ( record_data_size - 4 ) - record_data_offset ) )
+ {
+ libcerror_error_set(
+ error,
+ LIBCERROR_ERROR_DOMAIN_RUNTIME,
+ LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
+ "%s: data size value out of bounds.",
+ function );
+
+ goto on_error;
+ }
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
@@ -1292,7 +1325,7 @@ int libevt_record_values_read_event(
"%s: data:\n",
function );
libcnotify_print_data(
- &( record_data[ data_offset ] ),
+ &( record_data[ record_data_offset ] ),
(size_t) data_size,
LIBCNOTIFY_PRINT_DATA_FLAG_GROUP_DATA );
}