From 478dfe51552243b367cf2e9c5d047cbbd3c21635 Mon Sep 17 00:00:00 2001 From: Randy Barlow Date: Fri, 18 Mar 2022 12:42:57 -0400 Subject: [PATCH] CVE-2022-48468: unsigned integer overflow This commit combines two upstream commits from protobuf-c[0][1]. The first fixes an unsigned integer overflow, and the second fixes a regression introduced by the first. I originally decided to amend the commit message of the first to mention that it fixes a CVE, but then I realized it would be better to bring the fix for the regression together with it. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48468 https://bugzilla.redhat.com/show_bug.cgi?id=2186673 [0] https://github.com/protobuf-c/protobuf-c/pull/513/commits/289f5c18b195aa43d46a619d1188709abbfa9c82 [1] https://github.com/protobuf-c/protobuf-c/pull/513/commits/0d1fd124a4e0a07b524989f6e64410ff648fba61 Co-authored-by: 10054172 Co-authored-by: "Todd C. Miller" Signed-off-by: 10054172 Signed-off-by: Randy Barlow --- src/protobuf-c/protobuf-c.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/protobuf-c/protobuf-c.c b/src/protobuf-c/protobuf-c.c index 4f2f5bc..6ae5287 100644 --- a/src/protobuf-c/protobuf-c.c +++ b/src/protobuf-c/protobuf-c.c @@ -2456,10 +2456,13 @@ parse_required_member(ScannedMember *scanned_member, return FALSE; def_mess = scanned_member->field->default_value; - subm = protobuf_c_message_unpack(scanned_member->field->descriptor, - allocator, - len - pref_len, - data + pref_len); + if (len >= pref_len) + subm = protobuf_c_message_unpack(scanned_member->field->descriptor, + allocator, + len - pref_len, + data + pref_len); + else + subm = NULL; if (maybe_clear && *pmessage != NULL && -- 2.39.2