From 1b5bef7b1adb3ee6b540c7be39c2ad3c24bc024e Mon Sep 17 00:00:00 2001 From: Alex Palaistras Date: Tue, 7 Jun 2022 16:15:29 +0100 Subject: [PATCH] Fix integer overflow in `msooxml` detection Detection for MS-OOXML files will attempt to load a 32-bit address from the user-provided payload, adding a static offset that may lead to overflow if the original address is already near the max value for the type used. This commit has starting offset calculation be safe via use of `checked_add`, returning `None` if the user-provided address is beyond the bounds allowed. --- src/matchers/doc.rs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/matchers/doc.rs b/src/matchers/doc.rs index 991de7b..71c3a03 100644 --- a/src/matchers/doc.rs +++ b/src/matchers/doc.rs @@ -67,7 +67,12 @@ fn msooxml(buf: &[u8]) -> Option { // skip to the second local file header // since some documents include a 520-byte extra field following the file // header, we need to scan for the next header - let mut start_offset = (u32::from_le_bytes(buf[18..22].try_into().unwrap()) + 49) as usize; + let mut start_offset = match u32::from_le_bytes(buf[18..22].try_into().unwrap()).checked_add(49) + { + Some(int) => int as usize, + None => return None, + }; + let idx = search(buf, start_offset, 6000)?; // now skip to the *third* local file header; again, we need to scan due to a