Opened 6 years ago

Last modified 6 years ago

#6827 new Bugs

Integer overflow in read function

Reported by: msuvajac@… Owned by: Jonathan Turkanis
Milestone: To Be Determined Component: iostreams
Version: Boost Development Trunk Severity: Showstopper
Keywords: security, overflow, restrict, restriction Cc:

Description

The problem with this chunk of code (from boost/iostreams/detail/restrict_impl.hpp read function):

std::streamsize amt =
    end_ != -1 ?
            (std::min) (n, static_cast<std::streamsize>(end_ - pos_)) :
            n;

is that it's prone to integer overflow. So if you have let's say end_ that is > INT_MAX std::min will return 'wrong' (unwanted) value, e.g.:

std::streamsize a = 0xb14c1000;
std::streamsize b = 1;

std::streamsize result = (std::min)(a, b);

This will return result = 0xb14c1000 which if applied to our case means we will read 0xb14c1000 instead of 1 bytes.

This can be fixed like this:

std::streamsize amt(n);

if (end_ != -1 && end_ <= std::numeric_limits<std::streamsize>::max())
{
    amt = (std::min) (n, static_cast<std::streamsize>(end_ - pos_));
}

Attachments (2)

restrict_impl.patch (941 bytes) - added by msuvajac@… 6 years ago.
Patch for the bug.
restrict_impl2.patch (1.1 KB) - added by msuvajac@… 6 years ago.
fixed patch

Download all attachments as: .zip

Change History (3)

Changed 6 years ago by msuvajac@…

Attachment: restrict_impl.patch added

Patch for the bug.

Changed 6 years ago by msuvajac@…

Attachment: restrict_impl2.patch added

fixed patch

comment:1 Changed 6 years ago by msuvajac@…

My previous patch had a bug, my colleague noticed that, so I've uploaded a fix.

Note: See TracTickets for help on using tickets.