65 lines
2.0 KiB
Diff
65 lines
2.0 KiB
Diff
From b6ef53f4f4925d3aa71dc1cb828c311d0caa3c24 Mon Sep 17 00:00:00 2001
|
|
From: Michael Hanselmann <public@hansmi.ch>
|
|
Date: Sun, 22 Aug 2021 21:34:13 +0200
|
|
Subject: [PATCH] Update write buffer count during deserialization
|
|
|
|
At commit 8490a7ac the following `fuzzing/usbredirparserfuzz` input causes
|
|
an integer underflow on write_buf_count as it's not updated during
|
|
deserialization:
|
|
|
|
```
|
|
$ base64 -d <<'EOF' | gunzip -c > testcase6250181968920576
|
|
H4sIAMChImECAzNkwA0YgZgTxPiPBGCSAkgK07b9YgPRLDA+EBvNYoPLuzDg
|
|
A3Cj3/xHBTc5IPJgFQz/vwNJznSGBIYQIBtJPxN29n842xbhaohtaXA7GX4z
|
|
fHsPFNVmYHiI4S8jBiKAADbfAEMOaEkCMEDArv6fBpX4gzMM/6OoxxHOWMMO
|
|
YjYiIFleosvhsxcD/IYofY/dW0AD/xPy1nWc3kpDTUsEnYPD+UQEPzHuxB78
|
|
qWDwn0pgP8k6UvGDq0Alu7Foe0+0BYygEDBg+LwtAZhdAUAa2Kf/AwAA
|
|
EOF
|
|
```
|
|
|
|
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
|
|
---
|
|
usbredirparser/usbredirparser.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/usbredirparser/usbredirparser.c b/usbredirparser/usbredirparser.c
|
|
index f08a43a..67303d0 100644
|
|
--- a/usbredirparser/usbredirparser.c
|
|
+++ b/usbredirparser/usbredirparser.c
|
|
@@ -20,6 +20,7 @@
|
|
*/
|
|
#include "config.h"
|
|
|
|
+#include <assert.h>
|
|
#include <stddef.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
@@ -1059,6 +1060,8 @@ int usbredirparser_do_write(struct usbredirparser *parser_pub)
|
|
int w, ret = 0;
|
|
|
|
LOCK(parser);
|
|
+ assert((parser->write_buf_count != 0) ^ (parser->write_buf == NULL));
|
|
+
|
|
for (;;) {
|
|
wbuf = parser->write_buf;
|
|
if (!wbuf)
|
|
@@ -1763,6 +1766,7 @@ int usbredirparser_unserialize(struct usbredirparser *parser_pub,
|
|
if (unserialize_data(parser, &state, &remain, &parser->data, &i, "data"))
|
|
return -1;
|
|
parser->data_read = i;
|
|
+ parser->write_buf_count = 0;
|
|
|
|
/* Get the write buffer count and the write buffers */
|
|
if (unserialize_int(parser, &state, &remain, &i, "write_buf_count"))
|
|
@@ -1792,6 +1796,7 @@ int usbredirparser_unserialize(struct usbredirparser *parser_pub,
|
|
wbuf->len = l;
|
|
*next = wbuf;
|
|
next = &wbuf->next;
|
|
+ parser->write_buf_count++;
|
|
i--;
|
|
}
|
|
|
|
--
|
|
1.8.3.1
|
|
|