diff options
| author | Alexander Larsson <alexl@redhat.com> | 2013-06-14 10:55:21 +0200 |
|---|---|---|
| committer | Alexander Larsson <alexl@redhat.com> | 2013-06-14 11:07:41 +0200 |
| commit | 5a4f9e6a366e40a6967ff1569c7c2eaaabd5c4a1 (patch) | |
| tree | 177d0da78b35d7687a94ecdaf815e7b0f36af7cc | |
| parent | 7aa0c533a78dead59ea0c1a6bc132b8d8e051bcf (diff) | |
metadata: Fix short journal check
This was reading the size in the wrong place *sizep, not *(sizep-1),
plus the out of bounds checks were wrong.
https://bugzilla.gnome.org/show_bug.cgi?id=637095
| -rw-r--r-- | metadata/metatree.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/metadata/metatree.c b/metadata/metatree.c index 74ae0ca5..a6b3183b 100644 --- a/metadata/metatree.c +++ b/metadata/metatree.c @@ -1205,7 +1205,7 @@ meta_journal_iterate (MetaJournal *journal, gpointer user_data) { MetaJournalEntry *entry; - guint32 *sizep; + guint32 *sizep, size; char *journal_path, *journal_key, *source_path; char *path_copy, *value; gboolean res; @@ -1220,10 +1220,13 @@ meta_journal_iterate (MetaJournal *journal, while (entry > journal->first_entry) { sizep = (guint32 *)entry; - entry = (MetaJournalEntry *)((char *)entry - GUINT32_FROM_BE (*(sizep-1))); - if (GUINT32_FROM_BE (*(sizep)) < sizeof (MetaJournalEntry) && entry > journal->first_entry) + size = GUINT32_FROM_BE (*(sizep-1)); + entry = (MetaJournalEntry *)((char *)entry - size); + if (size < sizeof (MetaJournalEntry) || + entry < journal->first_entry || + entry >= journal->last_entry) { - g_debug ("meta_journal_iterate: found short sized entry, possible journal corruption\n"); + g_warning ("meta_journal_iterate: found wrong sized entry, possible journal corruption\n"); break; } @@ -2265,11 +2268,13 @@ apply_journal_to_builder (MetaTree *tree, sizep = (guint32 *)entry; entry = (MetaJournalEntry *)((char *)entry + GUINT32_FROM_BE (*(sizep))); - if (GUINT32_FROM_BE (*(sizep)) < sizeof (MetaJournalEntry) && entry < journal->last_entry) + if (GUINT32_FROM_BE (*(sizep)) < sizeof (MetaJournalEntry) || + entry < journal->first_entry || + entry > journal->last_entry) { /* This shouldn't happen, we found an entry that is shorter than its data */ /* See https://bugzilla.gnome.org/show_bug.cgi?id=637095 for discussion */ - g_warning ("apply_journal_to_builder: found short sized entry, possible journal corruption\n"); + g_warning ("apply_journal_to_builder: found wrong sized entry, possible journal corruption\n"); break; } } |