[syslinux:rockridge] iso9660: Avoid arbitrarily large malloc()s
syslinux-bot for Thomas Schmitt
scdbackup at gmx.net
Tue Apr 2 20:45:06 PDT 2013
Commit-ID: 44a33fd5e9dbc7d3a789ac9ec912b7a873adaab0
Gitweb: http://www.syslinux.org/commit/44a33fd5e9dbc7d3a789ac9ec912b7a873adaab0
Author: Thomas Schmitt <scdbackup at gmx.net>
AuthorDate: Tue, 2 Apr 2013 20:42:08 -0700
Committer: H. Peter Anvin <hpa at zytor.com>
CommitDate: Tue, 2 Apr 2013 20:42:08 -0700
iso9660: Avoid arbitrarily large malloc()s
After explaining the slightly wasteful usage of malloc()/memcpy()
with multi-block CE entries, i noticed that i did not install a
safety cap on the malloc size.
I could not challenge this in practice but only by gdb manipulation.
My most CE-happy test image has 3 occasions of multi-block CE.
All three only span over 2 blocks each.
---
core/fs/iso9660/susp_rr.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/core/fs/iso9660/susp_rr.c b/core/fs/iso9660/susp_rr.c
index f609f7f..3d99b74 100644
--- a/core/fs/iso9660/susp_rr.c
+++ b/core/fs/iso9660/susp_rr.c
@@ -201,6 +201,10 @@ static int susp_rr_switch_to_ca(struct susp_rr_iter *iter)
iter->ce_allocated = 0;
if (num_blocks > 1) {
/* The blocks are expected contiguously. Need to consolidate them. */
+ if (num_blocks > 50) {
+ dprintf("susp_rr.c: More than 100 KB claimed by a CE entry.\n");
+ return -1;
+ }
iter->ce_data = malloc(num_blocks * 2048);
if (susp_rr_is_out_of_mem(iter->ce_data))
return -1;
More information about the Syslinux-commits
mailing list