Check that n + kBlockTrailerSize does not overflow before reading a block

author Frank Chen <frankchn@google.com>

Wed, 4 Apr 2018 23:26:25 +0000 (16:26 -0700)

committer TensorFlower Gardener <gardener@tensorflow.org>

Wed, 4 Apr 2018 23:29:02 +0000 (16:29 -0700)
author Frank Chen <frankchn@google.com>
Wed, 4 Apr 2018 23:26:25 +0000 (16:26 -0700)
committer TensorFlower Gardener <gardener@tensorflow.org>
Wed, 4 Apr 2018 23:29:02 +0000 (16:29 -0700)
diff --git a/tensorflow/core/lib/io/format.cc b/tensorflow/core/lib/io/format.cc

index 6485294..0c24c66 100644 (file)
--- a/tensorflow/core/lib/io/format.cc
+++ b/tensorflow/core/lib/io/format.cc
@@ -13,6 +13,8 @@ See the License for the specific language governing permissions and
  limitations under the License.
  ==============================================================================*/
  
+#include <limits>
+
  #include "tensorflow/core/lib/io/format.h"
  
  #include "tensorflow/core/lib/core/coding.h"
@@ -84,6 +86,11 @@ Status ReadBlock(RandomAccessFile* file, const BlockHandle& handle,
    // Read the block contents as well as the type/crc footer.
    // See table_builder.cc for the code that built this structure.
    size_t n = static_cast<size_t>(handle.size());
+
+  if (kBlockTrailerSize > std::numeric_limits<size_t>::max() - n) {
+    return errors::DataLoss("handle.size() too big");
+  }
+
    char* buf = new char[n + kBlockTrailerSize];
    StringPiece contents;
    Status s = file->Read(handle.offset(), n + kBlockTrailerSize, &contents, buf);
author	Frank Chen <frankchn@google.com>
	Wed, 4 Apr 2018 23:26:25 +0000 (16:26 -0700)
committer	TensorFlower Gardener <gardener@tensorflow.org>
	Wed, 4 Apr 2018 23:29:02 +0000 (16:29 -0700)