Skip to content

Commit

Permalink
Fixed some infinite loops that a maliciously-crafted .iso can trigger.
Browse files Browse the repository at this point in the history 
These bugs exposed by American Fuzzy Lop (AFL), a powerful fuzzer.

http://lcamtuf.coredump.cx/afl/
(transplanted from 4f1bf89597e5b76c1c317fbeb2b472481090b4e4)
  • Loading branch information
@icculus
icculus committed Oct 23, 2017
1 parent b9fd9e8 commit b8aa7da
Showing 1 changed file with 16 additions and 5 deletions.
21 changes: 16 additions & 5 deletions src/physfs_archiver_iso9660.c
View file
Expand Up @@ -151,18 +151,25 @@ static int iso9660LoadEntries(PHYSFS_Io *io, const int joliet,

/* recordlen = 0 -> no more entries or fill entry */
BAIL_IF_ERRPASS(!__PHYSFS_readAll(io, &recordlen, 1), 0);
if (recordlen == 0)
if (recordlen > 0)
readpos += recordlen; /* ready to seek to next record. */
else
{
PHYSFS_uint64 nextpos;

/* if we are in the last sector of the directory & it's 0 -> end */
if ((dirend - 2048) <= (readpos - 1))
break; /* finished */

/* else skip to the next sector & continue; */
readpos = (((readpos - 1) / 2048) + 1) * 2048;
continue;
} /* if */
nextpos = (((readpos - 1) / 2048) + 1) * 2048;

/* whoops, can't make forward progress! */
BAIL_IF(nextpos == readpos, PHYSFS_ERR_CORRUPT, 0);

readpos += recordlen; /* ready to seek to next record. */
readpos = nextpos;
continue; /* start back at upper loop. */
} /* else */

BAIL_IF_ERRPASS(!__PHYSFS_readAll(io, &extattrlen, 1), 0);
BAIL_IF_ERRPASS(!__PHYSFS_readAll(io, &extent, 4), 0);
Expand Down Expand Up @@ -203,6 +210,10 @@ static int iso9660LoadEntries(PHYSFS_Io *io, const int joliet,
timestamp = (PHYSFS_sint64) mktime(&t);

extent += extattrlen; /* skip extended attribute record. */

/* infinite loop, corrupt file? */
BAIL_IF((extent * 2048) == dirstart, PHYSFS_ERR_CORRUPT, 0);

if (!iso9660AddEntry(io, joliet, isdir, base, fname, fnamelen,
timestamp, extent * 2048, datalen, unpkarc))
{
Expand Down

0 comments on commit b8aa7da

Please sign in to comment.