diff options
author | Jeremy Allison <jra@samba.org> | 2019-03-25 10:32:08 -0700 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2019-05-15 21:26:12 +0000 |
commit | 226544f6f5699891bbd933361c65750a26cfaccf (patch) | |
tree | c520157a021a2733c94fe9c1ce102aa8dce939e4 /source3/registry | |
parent | 0daa0ff921b270df9b794f02acbaa391c95cd89b (diff) | |
download | samba-226544f6f5699891bbd933361c65750a26cfaccf.tar.gz |
s3: net: Harden guess_charset() against overflow errors.
Found by Michael Hanselmann using fuzzing tools
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13842
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source3/registry')
-rw-r--r-- | source3/registry/reg_parse.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/source3/registry/reg_parse.c b/source3/registry/reg_parse.c index 81815a4fd98..3093e6acf76 100644 --- a/source3/registry/reg_parse.c +++ b/source3/registry/reg_parse.c @@ -688,7 +688,15 @@ static bool guess_charset(const char** ptr, } if (srprs_bom(&pos, &charset, NULL)) { - *len -= (pos - *ptr); + size_t declen; + if (pos < *ptr) { + return false; + } + declen = (pos - *ptr); + if (*len < declen) { + return false; + } + *len -= declen; *ptr = pos; if (*file_enc == NULL) { *file_enc = charset; |