From: Sebastien GODARD <sysstat@users.noreply.github.com>
Date: Mon, 2 Sep 2019 13:34:27 +0000 (+0200)
Subject: Fix #232: Memory corruption bug due to Integer Overflow in remap_struct()
X-Git-Tag: v12.1.7~21
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=83fad9c895d1ac13f76af5883b7451b3302beef5;p=sysstat

Fix #232: Memory corruption bug due to Integer Overflow in remap_struct()

Try to avoid integer overflow when reading a corrupted binary datafile
with sadf.

Signed-off-by: Sebastien GODARD <sysstat@users.noreply.github.com>
---

diff --git a/sa_common.c b/sa_common.c
index 36016b3..1b18dc0 100644
--- a/sa_common.c
+++ b/sa_common.c
@@ -1335,7 +1335,8 @@ int remap_struct(unsigned int gtypes_nr[], unsigned int ftypes_nr[],
 	/* Remap [unsigned] int fields */
 	d = gtypes_nr[1] - ftypes_nr[1];
 	if (d) {
-		if (ftypes_nr[1] * UL_ALIGNMENT_WIDTH < ftypes_nr[1])
+		if (gtypes_nr[0] * ULL_ALIGNMENT_WIDTH +
+		    ftypes_nr[1] * UL_ALIGNMENT_WIDTH < ftypes_nr[1])
 			/* Overflow */
 			return -1;
 
@@ -1364,7 +1365,9 @@ int remap_struct(unsigned int gtypes_nr[], unsigned int ftypes_nr[],
 	/* Remap possible fields (like strings of chars) following int fields */
 	d = gtypes_nr[2] - ftypes_nr[2];
 	if (d) {
-		if (ftypes_nr[2] * U_ALIGNMENT_WIDTH < ftypes_nr[2])
+		if (gtypes_nr[0] * ULL_ALIGNMENT_WIDTH +
+		    gtypes_nr[1] * UL_ALIGNMENT_WIDTH +
+		    ftypes_nr[2] * U_ALIGNMENT_WIDTH < ftypes_nr[2])
 			/* Overflow */
 			return -1;