From c14d07ef20c3f403fcfa59502b74c66933473431 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Wed, 17 Jan 2018 10:49:41 +0100
Subject: [PATCH 25/29] Fix integer overflow vulnerability in util/read.c.

This vulnerability is caused by a regression introduced in
d468907.

In this commit we cast the result of readUInt8(f) before left
shifting by 24 in order to avoid out of range shift.

This commit fixes CVE-2018-5251 (fixes #98).
---
 util/read.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/read.c b/util/read.c
index ed59052a..32f4c673 100644
--- a/util/read.c
+++ b/util/read.c
@@ -168,7 +168,7 @@ long readSInt32(FILE *f)
   result |= readUInt8(f);
   result |= readUInt8(f) << 8;
   result |= readUInt8(f) << 16;
-  result |= readUInt8(f) << 24;
+  result |= (long) readUInt8(f) << 24;
   return result;
 }
 
@@ -178,7 +178,7 @@ unsigned long readUInt32(FILE *f)
   result |= readUInt8(f);
   result |= readUInt8(f) << 8;
   result |= readUInt8(f) << 16;
-  result |= readUInt8(f) << 24;
+  result |= (unsigned long) readUInt8(f) << 24;
   return result;
 }
 
-- 
2.14.3