From 059933c07418ed6c6c272074d8065b02e585407a Mon Sep 17 00:00:00 2001 From: Balint Reczey <balint@balintreczey.hu> Date: Mon, 2 Jan 2017 21:28:17 +0100 Subject: [PATCH 3/8] Exit immediately when unexpected EOF is by fgetc() in utility programs Fixes CVE-2016-9831 Fixes: #58 --- util/listfdb.c | 24 +++++++++++++++++++++++- util/listjpeg.c | 13 ++++++++----- util/old/listswf.c | 5 +++++ util/old/read.c | 32 +++++++++++++++++++++++++++++--- util/read.c | 32 +++++++++++++++++++++++++++++--- 5 files changed, 94 insertions(+), 12 deletions(-) --- a/util/listfdb.c +++ b/util/listfdb.c @@ -71,12 +71,24 @@ { ret <<= 8; ret += fgetc(f); + if (feof(f)) + { + fprintf(stderr, "truncated file\n"); + exit(-1); + } + ++fileOffset; number -= 8; } ++fileOffset; buffer = fgetc(f); + if (feof(f)) + { + fprintf(stderr, "truncated file\n"); + exit(-1); + } + if(number>0) { @@ -108,9 +120,19 @@ int readUInt8(FILE *f) { + int tmp_char = fgetc(f); + // the rest of the code does not handle errors and use EOF as a valid unsigned char value + if (tmp_char == EOF) + { + // exit here instead of crashing elswhere + fprintf(stderr, "truncated file\n"); + exit(-1); + } + bufbits = 0; ++fileOffset; - return fgetc(f); + + return tmp_char; } int readSInt8(FILE *f) --- a/util/listjpeg.c +++ b/util/listjpeg.c @@ -52,11 +52,14 @@ if(c != JPEG_SOI && c != JPEG_EOI) { - l = (fgetc(f)<<8) + fgetc(f); - printf("%i bytes\n", l); + int tmp_char = fgetc(f); + if (!feof(f)) { + l = (tmp_char << 8) + fgetc(f); + printf("%i bytes\n", l); - for(l-=2; l>0; --l) - fgetc(f); + for(l-=2; l>0; --l) + fgetc(f); + } } } } --- a/util/read.c +++ b/util/read.c @@ -23,6 +23,7 @@ int readBits(FILE *f, int number) { int ret = buffer; + int tmp_char; if(number == bufbits) { @@ -37,14 +38,30 @@ while(number>8) { + tmp_char = fgetc(f); + if (tmp_char == EOF) + { + // exit here instead of crashing elswhere + fprintf(stderr, "truncated file\n"); + exit(-1); + } + ret <<= 8; - ret += fgetc(f); + ret += tmp_char; ++fileOffset; number -= 8; } ++fileOffset; - buffer = fgetc(f); + tmp_char = fgetc(f); + if (tmp_char == EOF) + { + // exit here instead of crashing elswhere + fprintf(stderr, "truncated file\n"); + exit(-1); + } + + buffer = tmp_char; if(number>0) { @@ -88,9 +105,18 @@ int readUInt8(FILE *f) { + int tmp_char = fgetc(f); + // the rest of the code does not handle errors and use EOF as a valid unsigned char value + if (tmp_char == EOF) + { + // exit here instead of crashing elswhere + fprintf(stderr, "truncated file\n"); + exit(-1); + } + bufbits = 0; ++fileOffset; - return fgetc(f); + return tmp_char; } int readSInt8(FILE *f)