* [PATCH 0/2] v4l-utils: Fix crashes found by Mayhem
@ 2013-06-27 21:11 Gregor Jasny
2013-06-27 21:11 ` [PATCH 1/2] libv4lconvert: Prevent integer overflow by checking width and height Gregor Jasny
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Gregor Jasny @ 2013-06-27 21:11 UTC (permalink / raw)
To: linux-media; +Cc: Gregor Jasny
The Mayhem Team ran their code checker over the Debian archive and
also found two crashes in v4l-utils.
See http://lists.debian.org/debian-devel/2013/06/msg00720.html
Gregor Jasny (2):
libv4lconvert: Prevent integer overflow by checking width and height
keytable: Always check if strtok return value is null
lib/libv4lconvert/ov511-decomp.c | 7 ++++++-
lib/libv4lconvert/ov518-decomp.c | 7 ++++++-
utils/keytable/keytable.c | 19 ++++++++++++++++---
3 files changed, 28 insertions(+), 5 deletions(-)
--
1.8.3.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/2] libv4lconvert: Prevent integer overflow by checking width and height
2013-06-27 21:11 [PATCH 0/2] v4l-utils: Fix crashes found by Mayhem Gregor Jasny
@ 2013-06-27 21:11 ` Gregor Jasny
2013-06-27 21:11 ` [PATCH 2/2] keytable: Always check if strtok return value is null Gregor Jasny
2013-06-27 22:31 ` [PATCH 0/2] v4l-utils: Fix crashes found by Mayhem Hans de Goede
2 siblings, 0 replies; 4+ messages in thread
From: Gregor Jasny @ 2013-06-27 21:11 UTC (permalink / raw)
To: linux-media; +Cc: Gregor Jasny
The Mayhem Team found a crash caused by an integer overflow.
Details are here:
http://www.forallsecure.com/bug-reports/8aae67d864bce76993f3f9812b4a2aeea0eb38da/
Signed-off-by: Gregor Jasny <gjasny@googlemail.com>
---
lib/libv4lconvert/ov511-decomp.c | 7 ++++++-
lib/libv4lconvert/ov518-decomp.c | 7 ++++++-
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/lib/libv4lconvert/ov511-decomp.c b/lib/libv4lconvert/ov511-decomp.c
index 90fc4b1..971d497 100644
--- a/lib/libv4lconvert/ov511-decomp.c
+++ b/lib/libv4lconvert/ov511-decomp.c
@@ -14,6 +14,7 @@
* Free Software Foundation; version 2 of the License.
*/
+#include <limits.h>
#include <string.h>
#include <unistd.h>
#include "helper-funcs.h"
@@ -640,7 +641,11 @@ int main(int argc, char *argv[])
dest_size = width * height * 3 / 2;
- if (dest_size > sizeof(dest_buf)) {
+ if (width <= 0 || width > SHRT_MAX || height <= 0 || height > SHRT_MAX) {
+ fprintf(stderr, "%s: error: width or height out of bounds\n",
+ argv[0]);
+ dest_size = -1;
+ } else if (dest_size > sizeof(dest_buf)) {
fprintf(stderr, "%s: error: dest_buf too small, need: %d\n",
argv[0], dest_size);
dest_size = -1;
diff --git a/lib/libv4lconvert/ov518-decomp.c b/lib/libv4lconvert/ov518-decomp.c
index 47b5cbb..91d908c 100644
--- a/lib/libv4lconvert/ov518-decomp.c
+++ b/lib/libv4lconvert/ov518-decomp.c
@@ -15,6 +15,7 @@
* Free Software Foundation; version 2 of the License.
*/
+#include <limits.h>
#include <string.h>
#include <unistd.h>
#include "helper-funcs.h"
@@ -1454,7 +1455,11 @@ int main(int argc, char *argv[])
dest_size = width * height * 3 / 2;
- if (dest_size > sizeof(dest_buf)) {
+ if (width <= 0 || width > SHRT_MAX || height <= 0 || height > SHRT_MAX) {
+ fprintf(stderr, "%s: error: width or height out of bounds\n",
+ argv[0]);
+ dest_size = -1;
+ } else if (dest_size > sizeof(dest_buf)) {
fprintf(stderr, "%s: error: dest_buf too small, need: %d\n",
argv[0], dest_size);
dest_size = -1;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] keytable: Always check if strtok return value is null
2013-06-27 21:11 [PATCH 0/2] v4l-utils: Fix crashes found by Mayhem Gregor Jasny
2013-06-27 21:11 ` [PATCH 1/2] libv4lconvert: Prevent integer overflow by checking width and height Gregor Jasny
@ 2013-06-27 21:11 ` Gregor Jasny
2013-06-27 22:31 ` [PATCH 0/2] v4l-utils: Fix crashes found by Mayhem Hans de Goede
2 siblings, 0 replies; 4+ messages in thread
From: Gregor Jasny @ 2013-06-27 21:11 UTC (permalink / raw)
To: linux-media; +Cc: Gregor Jasny
The Mayhem Team found a crash caused by a nullptr.
Details are here:
http://www.forallsecure.com/bug-reports/567323cd26f180910beb03ae26afb40c432a0c6a/
Signed-off-by: Gregor Jasny <gjasny@googlemail.com>
---
utils/keytable/keytable.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/utils/keytable/keytable.c b/utils/keytable/keytable.c
index 06b3d95..8bcd5c4 100644
--- a/utils/keytable/keytable.c
+++ b/utils/keytable/keytable.c
@@ -207,13 +207,19 @@ static error_t parse_keyfile(char *fname, char **table)
p++;
p = strtok(p, "\n\t =:");
do {
+ if (!p)
+ goto err_einval;
if (!strcmp(p, "table")) {
p = strtok(NULL,"\n, ");
+ if (!p)
+ goto err_einval;
*table = malloc(strlen(p) + 1);
strcpy(*table, p);
} else if (!strcmp(p, "type")) {
p = strtok(NULL, " ,\n");
do {
+ if (!p)
+ goto err_einval;
if (!strcasecmp(p,"rc5") || !strcasecmp(p,"rc-5"))
ch_proto |= RC_5;
else if (!strcasecmp(p,"rc6") || !strcasecmp(p,"rc-6"))
@@ -447,6 +453,8 @@ static error_t parse_opt(int k, char *arg, struct argp_state *state)
case 'p':
p = strtok(arg, ",;");
do {
+ if (!p)
+ goto err_inval;
if (!strcasecmp(p,"rc5") || !strcasecmp(p,"rc-5"))
ch_proto |= RC_5;
else if (!strcasecmp(p,"rc6") || !strcasecmp(p,"rc-6"))
@@ -813,14 +821,19 @@ static int v1_get_sw_enabled_protocol(char *dirname)
return 0;
}
- p = strtok(buf, " \n");
- rc = atoi(p);
-
if (fclose(fp)) {
perror(name);
return errno;
}
+ p = strtok(buf, " \n");
+ if (!p) {
+ fprintf(stderr, "%s has invalid content: '%s'\n", name, buf);
+ return 0;
+ }
+
+ rc = atoi(p);
+
if (debug)
fprintf(stderr, "protocol %s is %s\n",
name, rc? "enabled" : "disabled");
--
1.8.3.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 0/2] v4l-utils: Fix crashes found by Mayhem
2013-06-27 21:11 [PATCH 0/2] v4l-utils: Fix crashes found by Mayhem Gregor Jasny
2013-06-27 21:11 ` [PATCH 1/2] libv4lconvert: Prevent integer overflow by checking width and height Gregor Jasny
2013-06-27 21:11 ` [PATCH 2/2] keytable: Always check if strtok return value is null Gregor Jasny
@ 2013-06-27 22:31 ` Hans de Goede
2 siblings, 0 replies; 4+ messages in thread
From: Hans de Goede @ 2013-06-27 22:31 UTC (permalink / raw)
To: Gregor Jasny; +Cc: linux-media
Hi,
Thanks for working on this, both patches look good, ack series.
Regards,
Hans
On 06/27/2013 11:11 PM, Gregor Jasny wrote:
> The Mayhem Team ran their code checker over the Debian archive and
> also found two crashes in v4l-utils.
>
> See http://lists.debian.org/debian-devel/2013/06/msg00720.html
>
> Gregor Jasny (2):
> libv4lconvert: Prevent integer overflow by checking width and height
> keytable: Always check if strtok return value is null
>
> lib/libv4lconvert/ov511-decomp.c | 7 ++++++-
> lib/libv4lconvert/ov518-decomp.c | 7 ++++++-
> utils/keytable/keytable.c | 19 ++++++++++++++++---
> 3 files changed, 28 insertions(+), 5 deletions(-)
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-06-27 22:32 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-27 21:11 [PATCH 0/2] v4l-utils: Fix crashes found by Mayhem Gregor Jasny
2013-06-27 21:11 ` [PATCH 1/2] libv4lconvert: Prevent integer overflow by checking width and height Gregor Jasny
2013-06-27 21:11 ` [PATCH 2/2] keytable: Always check if strtok return value is null Gregor Jasny
2013-06-27 22:31 ` [PATCH 0/2] v4l-utils: Fix crashes found by Mayhem Hans de Goede
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).