From ef545814dea8879dfecc9209218160acc71240b1 Mon Sep 17 00:00:00 2001 From: Bernhard Nortmann Date: Wed, 20 Apr 2016 08:56:16 +0200 Subject: [PATCH] fexc: Improve script_decompile_bin() safeguards When declaring 'signed' values for section count and version information in the script_bin_head structure, testing them to be below certain thresholds (SCRIPT_BIN_*_LIMIT) is insufficient; as 'negative' values like in "fexc-bin: script.bin: version: -404840454.-1074397186.-1073906177" would still pass. Fix this by making these member fields unsigned. Signed-off-by: Bernhard Nortmann --- script_bin.c | 13 ++++++------- script_bin.h | 4 ++-- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/script_bin.c b/script_bin.c index ce13a2a..0eec7f5 100644 --- a/script_bin.c +++ b/script_bin.c @@ -312,17 +312,16 @@ int script_decompile_bin(void *bin, size_t bin_size, const char *filename, struct script *script) { - int i; + unsigned int i; struct script_bin_head *head = bin; - pr_info("%s: version: %d.%d.%d\n", filename, - head->version[0], head->version[1], - head->version[2]); - pr_info("%s: size: %zu (%d sections)\n", filename, + pr_info("%s: version: %u.%u.%u\n", filename, + head->version[0], head->version[1], head->version[2]); + pr_info("%s: size: %zu (%u sections)\n", filename, bin_size, head->sections); if (head->sections > SCRIPT_BIN_SECTION_LIMIT) { - pr_err("Malformed data: too many sections (%d).\n", + pr_err("Malformed data: too many sections (%u).\n", head->sections); return 0; } @@ -330,7 +329,7 @@ int script_decompile_bin(void *bin, size_t bin_size, if ((head->version[0] > SCRIPT_BIN_VERSION_LIMIT) || (head->version[1] > SCRIPT_BIN_VERSION_LIMIT) || (head->version[2] > SCRIPT_BIN_VERSION_LIMIT)) { - pr_err("Malformed data: version %d.%d.%d.\n", + pr_err("Malformed data: version %u.%u.%u.\n", head->version[0], head->version[1], head->version[2]); return 0; } diff --git a/script_bin.h b/script_bin.h index 0de2867..8f3c1a3 100644 --- a/script_bin.h +++ b/script_bin.h @@ -26,8 +26,8 @@ struct script_bin_section { /** binary representation of the head of the script file */ struct script_bin_head { - int32_t sections; - int32_t version[3]; + uint32_t sections; + uint32_t version[3]; struct script_bin_section section[]; };