GNOME.org
 

[tracker] libtracker-data: Fix crash due to overflow in journal reader

commit b75b6732ea6f04b6885335e90a56105fb83b48e0
Author: JÃrg Billeter <j bitron ch>
Date:   Thu Dec 8 11:13:03 2011 +0100

    libtracker-data: Fix crash due to overflow in journal reader
    
    Fixes GB#664833.

 src/libtracker-data/tracker-db-journal.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)
---
diff --git a/src/libtracker-data/tracker-db-journal.c b/src/libtracker-data/tracker-db-journal.c
index a227025..a9365c1 100644
--- a/src/libtracker-data/tracker-db-journal.c
+++ b/src/libtracker-data/tracker-db-journal.c
@@ -1657,6 +1657,17 @@ db_journal_reader_next (JournalReader *jreader, gboolean global_reader, GError *
 			return FALSE;
 		}
 
+		/* Check that entry is smaller than the rest of the file.
+		   Very large entry_size could otherwise cause an overflow
+		   in entry_begin + entry_size below. */
+		if ((gint64) entry_size > (gint64) (jreader->end - jreader->entry_begin)) {
+			g_set_error (error, TRACKER_DB_JOURNAL_ERROR,
+			             TRACKER_DB_JOURNAL_ERROR_DAMAGED_JOURNAL_ENTRY,
+			             "Damaged journal entry, size %u > %ld (rest of the file)",
+			             entry_size, jreader->end - jreader->entry_begin);
+			return FALSE;
+		}
+
 		if (!jreader->stream) {
 			/* Set the bounds for the entry */
 			jreader->entry_end = jreader->entry_begin + entry_size;
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]