s3: net: Harden guess_charset() against overflow errors.

Found by Michael Hanselmann using fuzzing tools BUG: https://bugzilla.samba.org/show_bug.cgi?id=13842 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Jeremy Allison <jra@samba.org> 2019-03-25 10:32:08 -0700
committer: Andrew Bartlett <abartlet@samba.org> 2019-05-15 21:26:12 +0000
commit: 226544f6f5699891bbd933361c65750a26cfaccf (patch)
tree: c520157a021a2733c94fe9c1ce102aa8dce939e4 /source3/registry
parent: 0daa0ff921b270df9b794f02acbaa391c95cd89b (diff)
download: samba-226544f6f5699891bbd933361c65750a26cfaccf.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/source3/registry/reg_parse.c b/source3/registry/reg_parse.c
index 81815a4fd98..3093e6acf76 100644
--- a/source3/registry/reg_parse.c
+++ b/source3/registry/reg_parse.c
@@ -688,7 +688,15 @@ static bool guess_charset(const char** ptr,
 	}
 
 	if (srprs_bom(&pos, &charset, NULL)) {
-		*len -= (pos - *ptr);
+		size_t declen;
+		if (pos < *ptr) {
+			return false;
+		}
+		declen = (pos - *ptr);
+		if (*len < declen) {
+			return false;
+		}
+		*len -= declen;
 		*ptr = pos;
 		if (*file_enc == NULL) {
 			*file_enc = charset;
author	Jeremy Allison <jra@samba.org>	2019-03-25 10:32:08 -0700
committer	Andrew Bartlett <abartlet@samba.org>	2019-05-15 21:26:12 +0000
commit	226544f6f5699891bbd933361c65750a26cfaccf (patch)
tree	c520157a021a2733c94fe9c1ce102aa8dce939e4 /source3/registry
parent	0daa0ff921b270df9b794f02acbaa391c95cd89b (diff)
download	samba-226544f6f5699891bbd933361c65750a26cfaccf.tar.gz