From c14d07ef20c3f403fcfa59502b74c66933473431 Mon Sep 17 00:00:00 2001 From: Hugo Lefeuvre <hle@debian.org> Date: Wed, 17 Jan 2018 10:49:41 +0100 Subject: [PATCH 25/29] Fix integer overflow vulnerability in util/read.c. This vulnerability is caused by a regression introduced in d468907. In this commit we cast the result of readUInt8(f) before left shifting by 24 in order to avoid out of range shift. This commit fixes CVE-2018-5251 (fixes #98). --- util/read.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/util/read.c b/util/read.c index ed59052a..32f4c673 100644 --- a/util/read.c +++ b/util/read.c @@ -168,7 +168,7 @@ long readSInt32(FILE *f) result |= readUInt8(f); result |= readUInt8(f) << 8; result |= readUInt8(f) << 16; - result |= readUInt8(f) << 24; + result |= (long) readUInt8(f) << 24; return result; } @@ -178,7 +178,7 @@ unsigned long readUInt32(FILE *f) result |= readUInt8(f); result |= readUInt8(f) << 8; result |= readUInt8(f) << 16; - result |= readUInt8(f) << 24; + result |= (unsigned long) readUInt8(f) << 24; return result; } -- 2.14.3