From c1cef2d68c9afc697e70ac06802a0b3cc27ef93d Mon Sep 17 00:00:00 2001 From: akallabeth Date: Wed, 29 Apr 2020 15:55:51 +0200 Subject: [PATCH] Fixed int overflow in smartcard_ndr_read Thanks to hac425 --- channels/smartcard/client/smartcard_pack.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/channels/smartcard/client/smartcard_pack.c b/channels/smartcard/client/smartcard_pack.c index 64a0c94..de0e1ce 100644 --- a/channels/smartcard/client/smartcard_pack.c +++ b/channels/smartcard/client/smartcard_pack.c @@ -101,7 +101,7 @@ static BOOL smartcard_ndr_pointer_read_(wStream* s, UINT32* index, UINT32* ptr, static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t elementSize, ndr_ptr_t type) { - UINT32 len, offset, len2; + size_t len, offset, len2; void* r; size_t required; @@ -163,9 +163,11 @@ static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t eleme min, len); return STATUS_DATA_ERROR; } - len *= elementSize; - if (Stream_GetRemainingLength(s) < len) + if (len > SIZE_MAX / 2) + return STATUS_BUFFER_TOO_SMALL; + + if (Stream_GetRemainingLength(s) / elementSize < len) { WLog_ERR(TAG, "Short data while trying to read data from NDR pointer, expected %" PRIu32 @@ -173,6 +175,7 @@ static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t eleme len, Stream_GetRemainingLength(s)); return STATUS_BUFFER_TOO_SMALL; } + len *= elementSize; r = calloc(len + 1, sizeof(CHAR)); if (!r) -- 2.7.4