Detect multiplication overflow when computing sector position

(found by oss-fuzz)

diff --git a/src/cdf.c b/src/cdf.c
index 556a3ff8680986f276b6f974a9997a9f1b37d74c..9d639674211e436be831b3cc5e0609d01a9e8a52 100644 (file)
--- a/src/cdf.c
+++ b/src/cdf.c
@@ -35,7 +35,7 @@
 #include "file.h"
 
 #ifndef lint
-FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:27 christos Exp $")
+FILE_RCSID("@(#)$File: cdf.c,v 1.115 2019/08/23 14:29:14 christos Exp $")
 #endif
 
 #include <assert.h>
@@ -53,6 +53,10 @@ FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:27 christos Exp $")
 #define EFTYPE EINVAL
 #endif
 
+#ifndef SIZE_T_MAX
+#define SIZE_T_MAX CAST(size_t, ~0ULL)
+#endif
+
 #include "cdf.h"
 
 #ifdef CDF_DEBUG
@@ -405,7 +409,12 @@ cdf_read_sector(const cdf_info_t *info, void *buf, size_t offs, size_t len,
     const cdf_header_t *h, cdf_secid_t id)
 {
        size_t ss = CDF_SEC_SIZE(h);
-       size_t pos = CDF_SEC_POS(h, id);
+       size_t pos;
+
+       if (SIZE_T_MAX / ss < CAST(size_t, id))
+               return -1;
+
+       pos = CDF_SEC_POS(h, id);
        assert(ss == len);
        return cdf_read(info, CAST(off_t, pos), RCAST(char *, buf) + offs, len);
 }
@@ -415,7 +424,12 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
     size_t len, const cdf_header_t *h, cdf_secid_t id)
 {
        size_t ss = CDF_SHORT_SEC_SIZE(h);
-       size_t pos = CDF_SHORT_SEC_POS(h, id);
+       size_t pos;
+
+       if (SIZE_T_MAX / ss < CAST(size_t, id))
+               return -1;
+
+       pos = CDF_SHORT_SEC_POS(h, id);
        assert(ss == len);
        if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
                DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"