46 lines
1.8 KiB
Diff
46 lines
1.8 KiB
Diff
From 8138e767bf6df7cccf1664f3a854e596628fdb2d Mon Sep 17 00:00:00 2001
|
|
From: Nathan Owens <ndowens04@gmail.com>
|
|
Date: Sat, 28 Dec 2019 18:25:58 -0600
|
|
Subject: [PATCH] matio: CVE-2019-20020 patch
|
|
|
|
Signed-off-by: Nathan Owens <ndowens04@gmail.com>
|
|
---
|
|
src/mat5.c | 18 +++++++++++++++++-
|
|
1 file changed, 17 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/mat5.c b/src/mat5.c
|
|
index abdb351..776f233 100644
|
|
--- src/mat5.c
|
|
+++ src/mat5.c
|
|
@@ -980,10 +980,26 @@ ReadNextCell( mat_t *mat, matvar_t *matvar )
|
|
/* Rank and Dimension */
|
|
if ( uncomp_buf[0] == MAT_T_INT32 ) {
|
|
int j;
|
|
+ size_t size;
|
|
cells[i]->rank = uncomp_buf[1];
|
|
nbytes -= cells[i]->rank;
|
|
cells[i]->rank /= 4;
|
|
- cells[i]->dims = (size_t*)malloc(cells[i]->rank*sizeof(*cells[i]->dims));
|
|
+ if ( 0 == do_clean && cells[i]->rank > 13 ) {
|
|
+ int rank = cells[i]->rank;
|
|
+ cells[i]->rank = 0;
|
|
+ Mat_Critical("%d is not a valid rank", rank);
|
|
+ continue;
|
|
+ }
|
|
+ err = SafeMul(&size, cells[i]->rank, sizeof(*cells[i]->dims));
|
|
+ if ( err ) {
|
|
+ if ( do_clean )
|
|
+ free(dims);
|
|
+ Mat_VarFree(cells[i]);
|
|
+ cells[i] = NULL;
|
|
+ Mat_Critical("Integer multiplication overflow");
|
|
+ continue;
|
|
+ }
|
|
+ cells[i]->dims = (size_t*)malloc(size);
|
|
if ( mat->byteswap ) {
|
|
for ( j = 0; j < cells[i]->rank; j++ )
|
|
cells[i]->dims[j] = Mat_uint32Swap(dims + j);
|
|
--
|
|
2.24.1
|
|
|