Fix integer overflow in msooxml detection

Detection for MS-OOXML files will attempt to load a 32-bit address from the user-provided payload, adding a static offset that may lead to overflow if the original address is already near the max value for the type used. This commit has starting offset calculation be safe via use of `checked_add`, returning `None` if the user-provided address is beyond the bounds allowed.
bojand · Jun 7, 2022 · 1b5bef7 · 1b5bef7
1 parent dca6e8b
commit 1b5bef7
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/matchers/doc.rs b/src/matchers/doc.rs
@@ -67,7 +67,12 @@ fn msooxml(buf: &[u8]) -> Option<DocType> {
     // skip to the second local file header
     // since some documents include a 520-byte extra field following the file
     // header, we need to scan for the next header
-    let mut start_offset = (u32::from_le_bytes(buf[18..22].try_into().unwrap()) + 49) as usize;
+    let mut start_offset = match u32::from_le_bytes(buf[18..22].try_into().unwrap()).checked_add(49)
+    {
+        Some(int) => int as usize,
+        None => return None,
+    };
+
     let idx = search(buf, start_offset, 6000)?;
 
     // now skip to the *third* local file header; again, we need to scan due to a