From 8b822ab20b1daab0b59c7fd023fbb9d4cd772950 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Mon, 30 Sep 2024 19:20:33 +0200 Subject: [PATCH] libkmod: Check child range in memory mapped index If value of "first" is negative, then a broken index can trigger a stack based buffer overflow, because child_count could become larger than INDEX_CHILDMAX. Signed-off-by: Tobias Stoeckmann --- libkmod/libkmod-index.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libkmod/libkmod-index.c b/libkmod/libkmod-index.c index 154cc43b..0e2b26d4 100644 --- a/libkmod/libkmod-index.c +++ b/libkmod/libkmod-index.c @@ -689,7 +689,7 @@ static struct index_mm_node *index_mm_read_node(struct index_mm *idx, uint32_t o first = read_char_mm(&p); last = read_char_mm(&p); - if (first > last) + if (first > last || first < 0 || last < 0) return NULL; child_count = last - first + 1;