From 32d746be08dc630c175c082909d19a2929f25bcb Mon Sep 17 00:00:00 2001
From: Sebastien GODARD <sysstat@users.noreply.github.com>
Date: Sun, 22 Sep 2019 18:08:23 +0200
Subject: [PATCH] sar: Fix insecure data handling

Check values read from file before using.
Fix CID#349504.

Signed-off-by: Sebastien GODARD <sysstat@users.noreply.github.com>
---
 sa.h        | 2 ++
 sa_common.c | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/sa.h b/sa.h
index d2efd67..33ea525 100644
--- a/sa.h
+++ b/sa.h
@@ -675,6 +675,8 @@ struct extra_desc {
 #define EXTRA_DESC_ULL_NR	0	/* Nr of unsigned long long in extra_desc structure */
 #define EXTRA_DESC_UL_NR	0	/* Nr of unsigned long in extra_desc structure */
 #define EXTRA_DESC_U_NR		6	/* Nr of [unsigned] int in extra_desc structure */
+#define MAX_EXTRA_NR		8192
+#define MAX_EXTRA_SIZE		1024
 
 /* Record type */
 /*
diff --git a/sa_common.c b/sa_common.c
index b26851b..8bbe3a6 100644
--- a/sa_common.c
+++ b/sa_common.c
@@ -1490,6 +1490,14 @@ int skip_extra_struct(int ifd, int endian_mismatch, int arch_64)
 			return -1;
 		}
 
+		if ((xtra_d.extra_nr > MAX_EXTRA_NR) || (xtra_d.extra_size > MAX_EXTRA_SIZE)) {
+#ifdef DEBUG
+			fprintf(stderr, "%s: extra_size=%u extra_nr=%u\n",
+				__FUNCTION__, xtra_d.extra_size, xtra_d.extra_size);
+#endif
+			return -1;
+		}
+
 		/* Ignore current unknown extra structures */
 		for (i = 0; i < xtra_d.extra_nr; i++) {
 			if (lseek(ifd, xtra_d.extra_size, SEEK_CUR) < xtra_d.extra_size)
-- 
2.40.0