Re: [Libguestfs] [PATCH v2 1/2] lib: change how hbin sections are read.

On Wed, Feb 15, 2017 at 10:59:33PM +0000, Richard W.M. Jones wrote: > > OK, I ended up turning the warning off.  It appears from the > info file that the warning is about GCC not being able to make > an optimization, not a bug in the code. > > However I do have a more substantial problem with the patch. > By checking the offset against h->endpages, we're using an > untrusted > field supplied to us by the hive, which means that a crafted hive > could cause us to walk through memory past the end of the file -- > a security issue. > > So I think the test should be using h->size with the additional > check for off >= h->endpages, as in the existing outer loop. Also if we're going to start using heuristics to deal with broken hives, we should prevent writing when this happens.  So check the write flag and give an error in that case (or have another flag to indicate that the caller wants heuristics). Rich.