s3: net: Harden guess_charset() against overflow errors.
authorJeremy Allison <jra@samba.org>
Mon, 25 Mar 2019 17:32:08 +0000 (10:32 -0700)
committerAndrew Bartlett <abartlet@samba.org>
Wed, 15 May 2019 21:26:12 +0000 (21:26 +0000)
Found by Michael Hanselmann using fuzzing tools

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13842

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
source3/registry/reg_parse.c

index 81815a4fd98f7a4e23407a5c951010377f414ee6..3093e6acf76d178d0ca000813a477f5bb4801a7b 100644 (file)
@@ -688,7 +688,15 @@ static bool guess_charset(const char** ptr,
        }
 
        if (srprs_bom(&pos, &charset, NULL)) {
-               *len -= (pos - *ptr);
+               size_t declen;
+               if (pos < *ptr) {
+                       return false;
+               }
+               declen = (pos - *ptr);
+               if (*len < declen) {
+                       return false;
+               }
+               *len -= declen;
                *ptr = pos;
                if (*file_enc == NULL) {
                        *file_enc = charset;