From f57262da9966803ee97a5cecfe24512d38c3625e Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Sun, 14 Apr 2019 06:44:08 -0400 Subject: [PATCH] SAS7BDAT reader: Improved bounds checking Fixes oss-fuzz/13262 --- src/sas/readstat_sas7bdat_read.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/sas/readstat_sas7bdat_read.c b/src/sas/readstat_sas7bdat_read.c index 61dc159e..2ff13ba7 100644 --- a/src/sas/readstat_sas7bdat_read.c +++ b/src/sas/readstat_sas7bdat_read.c @@ -725,7 +725,7 @@ static readstat_error_t sas7bdat_parse_page_pass1(const char *page, size_t page_ const char *shp = &page[ctx->page_header_size]; int lshp = ctx->subheader_pointer_size; - if (ctx->page_header_size + subheader_count*lshp > ctx->page_size) { + if (ctx->page_header_size + subheader_count*lshp > page_size) { retval = READSTAT_ERROR_PARSE; goto cleanup; } @@ -785,10 +785,16 @@ static readstat_error_t sas7bdat_parse_page_pass2(const char *page, size_t page_ int i; const char *shp = &page[ctx->page_header_size]; + int lshp = ctx->subheader_pointer_size; + + if (ctx->page_header_size + subheader_count*lshp > page_size) { + retval = READSTAT_ERROR_PARSE; + goto cleanup; + } + for (i=0; isubheader_pointer_size; if ((retval = sas7bdat_parse_subheader_pointer(shp, page + page_size - shp, &shp_info, ctx)) != READSTAT_OK) { goto cleanup; }