[libaacs-devel] Avoid integer overflows

Thu, 16 Mar 2017 05:46:21 -0700 

libaacs | branch: master | npzacs <npz...@gmail.com> | Thu Mar 16 14:43:20 2017 
+0200| [3a28f55af93f1a27bb1d24b77c81c972586845d7] | committer: npzacs

Avoid integer overflows

> http://git.videolan.org/gitweb.cgi/libaacs.git/?a=commit;h=3a28f55af93f1a27bb1d24b77c81c972586845d7
---

 src/libaacs/aacs.c | 15 ++++++++++++---
 src/libaacs/mkb.c  | 11 ++++++++---
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/src/libaacs/aacs.c b/src/libaacs/aacs.c
index c491296..82a1a32 100644
--- a/src/libaacs/aacs.c
+++ b/src/libaacs/aacs.c
@@ -141,10 +141,19 @@ static int _validate_pk(const uint8_t *pk,
 
 static int _rl_verify_signature(const uint8_t *rl, size_t size)
 {
-    int    entries = MKINT_BE32(rl + 12 + 8);
-    size_t len     = 12 + 12 + 8 * entries; /* type_and_version_rec=12, 
rl_header=12, rl=entries*8 */
+    if (size < 40) {
+        BD_DEBUG(DBG_AACS, "too small revocation list\n");
+        return 0;
+    }
+
+    uint32_t entries = MKINT_BE32(rl + 12 + 8);
+    if (entries >= (0xffffffff - 24 - 40) / 8) {
+        BD_DEBUG(DBG_AACS, "invalid revocation list\n");
+        return 0;
+    }
 
-    if (len + 40 > size) {
+    size_t len = 12 + 12 + 8 * entries; /* type_and_version_rec=12, 
rl_header=12, rl=entries*8 */
+    if (len > size - 40) {
         BD_DEBUG(DBG_AACS, "revocation list size mismatch\n");
         return 0;
     }
diff --git a/src/libaacs/mkb.c b/src/libaacs/mkb.c
index 7c5d2b0..2342497 100644
--- a/src/libaacs/mkb.c
+++ b/src/libaacs/mkb.c
@@ -238,11 +238,16 @@ const uint8_t *mkb_signature(MKB *mkb, size_t *len)
 
 static int _cert_is_revoked(const uint8_t *rl, size_t rl_size, const uint8_t 
*cert_id_bin)
 {
-    if (rl) {
+    if (rl && rl_size > 8) {
         uint64_t cert_id = MKINT_BE48(cert_id_bin);
         /*int total = MKINT_BE32(rl);*/
-        int entries = MKINT_BE32(rl + 4);
-        int ii;
+        uint32_t entries = MKINT_BE32(rl + 4);
+        unsigned ii;
+
+        if (entries >= (0xffffffff - 8 - 40) / 8) {
+            BD_DEBUG(DBG_MKB, "invalid revocation list\n");
+            return 0;
+        }
 
         size_t rec_len = 4 + 4 + 8 * entries + 40;
         if (rec_len > rl_size) {

_______________________________________________
libaacs-devel mailing list
libaacs-devel@videolan.org
https://mailman.videolan.org/listinfo/libaacs-devel

Reply via email to