From 41c6f5447941e5d36d0554ba874671649353752f Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@cs.stanford.edu>
Date: Tue, 4 Jul 2017 12:58:55 -0400
Subject: [PATCH] sys-file-reader: Fix integer overflows in
 parse_long_string_missing_values().

Crafted system files caused integer overflow errors that in turn caused
aborts.  This fixes the problem.

CVE-2017-10791.
See also https://bugzilla.redhat.com/show_bug.cgi?id=1467004.
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866890.
See also https://security-tracker.debian.org/tracker/CVE-2017-10791.
Found by team OWL337, using the collAFL fuzzer.
---
 src/data/sys-file-reader.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/data/sys-file-reader.c b/src/data/sys-file-reader.c
index 1745d1dcf..d1676564d 100644
--- a/src/data/sys-file-reader.c
+++ b/src/data/sys-file-reader.c
@@ -2463,7 +2463,8 @@ parse_long_string_value_labels (struct sfm_reader *r,
       ofs += 4;
 
       /* Parse variable name, width, and number of labels. */
-      if (!check_overflow (r, record, ofs, var_name_len + 8))
+      if (!check_overflow (r, record, ofs, var_name_len)
+          || !check_overflow (r, record, ofs, var_name_len + 8))
         return;
       var_name = recode_string_pool ("UTF-8", dict_encoding,
                                      (const char *) record->data + ofs,
@@ -2581,7 +2582,8 @@ parse_long_string_missing_values (struct sfm_reader *r,
       ofs += 4;
 
       /* Parse variable name. */
-      if (!check_overflow (r, record, ofs, var_name_len + 1))
+      if (!check_overflow (r, record, ofs, var_name_len)
+          || !check_overflow (r, record, ofs, var_name_len + 1))
         return;
       var_name = recode_string_pool ("UTF-8", dict_encoding,
                                      (const char *) record->data + ofs,
-- 
2.11.4.GIT