There's a possibility of a minor buffer overrun in libcheckisomd5.c due
to a faulty bounds check.
The code in question...
<snip>
while (loc < 512) {
if (!strncmp(buf2 + loc, "ISO MD5SUM = ", 13)) {
/* make sure we dont walk off end */
if ((loc + 32) > 511)
return -1;
memcpy(mediasum, buf2 + loc + 13, 32);
mediasum[32] = '\0';
md5fnd = 1;
loc += 45;
for (p=buf2+loc; *p != ';' && loc < 512; p++, loc++);
</snip>
The code checks to make sure that the current location plus 32 bytes is
within the buffer's 512 byte size:
if ((loc + 32) > 511)
return -1;
But on the very next line, there's a possibility of copying beyond
buf2's 512 byte static char array:
memcpy(mediasum, buf2 + loc + 13, 32);
And a few lines later, the code moves the location forward by 45 bytes:
loc += 45;
The memcpy seems unprotected to me. This bug was found by Coverity, a
source code checker. Patch follows. Your thoughts?
:-Dustin
--- isomd5sum/libcheckisomd5.c.orig 2005-08-08 10:14:41.246617392
-0500
+++ isomd5sum/libcheckisomd5.c 2005-08-08 10:15:21.190544992 -0500
@@ -60,7 +60,7 @@ static int parsepvd(int isofd, char *med
if (!strncmp(buf2 + loc, "ISO MD5SUM = ", 13)) {
/* make sure we dont walk off end */
- if ((loc + 32) > 511)
+ if ((loc + 45) > 511)
return -1;
memcpy(mediasum, buf2 + loc + 13, 32);