| commit | 47b6696dcdfe7c5cb6e58ac6586ba45d39c39cc6 | |
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | |
| Wed, 5 Jul 2023 22:50:05 +0000 (6 10:50 +1200) | ||
| committer | Douglas Bagnall <dbagnall@samba.org> | |
| Fri, 7 Jul 2023 00:17:31 +0000 (7 00:17 +0000) | ||
| tree | 3a0188cf1f8dab7a362baf9642678dc9a3c226df | treesnapshot (tar.gz zip) |
| parent | 6f073f258f1f4f03a8eb568ea05be78fdbec49eb | commitdiff |
librpc:ndr: Fix overflow in ndr_push_expand
If ‘size’ was equal to UINT32_MAX, the expression ‘size+1’ could
overflow to zero.
This could result in inadequate memory being allocated, which could
cause ndr_pull_compression_xpress_huff_raw_chunk() to overflow memory
with zero bytes.
Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57728
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15415
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
If ‘size’ was equal to UINT32_MAX, the expression ‘size+1’ could
overflow to zero.
This could result in inadequate memory being allocated, which could
cause ndr_pull_compression_xpress_huff_raw_chunk() to overflow memory
with zero bytes.
Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57728
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15415
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
| librpc/ndr/ndr.c | diffblobblamehistory |