out-of-bounds read

[evgeni]

Original report in Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776239

Unshield crashes on this (slightly corrupted) archive:

$ unshield t data1.cab
Segmentation fault

GDB says it's an out-of-bounds read:

#0  0xf7fb565a in get_unaligned_le32 (p=0x5f40e4e8 <error: Cannot access memory at address 0x5f40e4e8>) at internal.h:138
#1  0xf7fb5732 in unshield_component_new (header=0x804dfd0, offset=1463549952) at component.c:30
#2  0xf7fb8eff in unshield_header_get_components (header=0x804dfd0) at libunshield.c:155
#3  0xf7fb942d in unshield_read_headers (unshield=0x804dfb0, version=-1) at libunshield.c:309
#4  0xf7fb95db in unshield_open_force_version (filename=0xffffda22 "data1.cab", version=-1) at libunshield.c:361
#5  0x08049db1 in main (argc=3, argv=0xffffd864) at unshield.c:574

[twogood]

PR is welcome!

[maqifrnswa]

triaging: the files are corrupted such that it's giving a huge offset between header components.
#1 0xf7fb5732 in unshield_component_new (header=0x804dfd0, offset=1463549952) at component.c:30

this allows unshield_header_get_buffer in lib/helper.c can return a pointer to memory outside of header. Here's the code

uint8_t* unshield_header_get_buffer(Header* header, uint32_t offset)
{
  if (offset)
    return 
      header->data +
      header->common.cab_descriptor_offset +
      offset;
  else
    return NULL;
}

possible fix, before returning header->data + header->common.cab_descriptor_offset + offset, check that it is within the size of header (header->data + header->common.cab_descriptor_offset + offset is < header->data+header->size, probably need to add 2 or 4 to each of them for 16 or 32 bits as well).