[syslinux] [PATCH 4/5] installers: fix a possible buffer overflow when looking for LDLINUX_MAGIC
Pete Batard
pete at akeo.ie
Wed Feb 24 05:02:39 PST 2016
If the ldlinux being processed is garbage, the search for LDLINUX_MAGIC
will overflow its buffer - fix that.
I did encounter this issue in Rufus as, due to notorious
incompatibilities between different versions of ldlinux.sys and the
com32's residing on an ISO, we download a version specific ldlinux.sys
from our server... which may get trashed if the user sits behind one of
these corporate firewalls that modifies the download payload and
replaces it with something like "You are not authorized to download this
file"...
-------------- next part --------------
From abd9b0ab4db62e9533dc3938121470b7c529f622 Mon Sep 17 00:00:00 2001
From: Pete Batard <pete at akeo.ie>
Date: Tue, 23 Feb 2016 20:02:10 +0000
Subject: [PATCH 4/5] installers: fix a possible buffer overflow when looking
for LDLINUX_MAGIC
---
libinstaller/syslxmod.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libinstaller/syslxmod.c b/libinstaller/syslxmod.c
index 7bf4d91..581f9fc 100644
--- a/libinstaller/syslxmod.c
+++ b/libinstaller/syslxmod.c
@@ -123,9 +123,11 @@ int syslinux_patch(const sector_t *sectp, int nsectors,
/* Search for LDLINUX_MAGIC to find the patch area */
for (wp = (const uint32_t _slimg *)boot_image;
- get_32_sl(wp) != LDLINUX_MAGIC;
+ (get_32_sl(wp) != LDLINUX_MAGIC) && (((uintptr_t)wp) < ((uintptr_t)boot_image + boot_image_len));
wp++)
;
+ if (((uintptr_t)wp) >= ((uintptr_t)boot_image + boot_image_len))
+ return -1;
patcharea = (struct patch_area _slimg *)wp;
epa = slptr(boot_image, &patcharea->epaoffset);
--
1.9.5.msysgit.1
More information about the Syslinux
mailing list