From 9e25485581205503d76fbabbbb6cdf4fe204e61d Mon Sep 17 00:00:00 2001
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Wed, 26 Jul 2017 13:14:39 -0400
Subject: [PATCH] Fix: add missing bound checking in decode_packet
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Found by Coverity:

overflow_assign: Assigning overflowed or truncated value (or a value
computed from an overflowed or a truncated value) to toread.

overflow: Subtract operation overflows on operands toread and
readlen. Example values for operands: toread = 268435457, readlen =
9223372037074107386.

overflow_assign: Assigning overflowed or truncated value (or a value
computed from an overflowed or a truncated value) to readlen.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: JÃ©rÃ©mie Galarneau <jeremie.galarneau@efficios.com>
---
 plugins/ctf/common/metadata/decoder.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/plugins/ctf/common/metadata/decoder.c b/plugins/ctf/common/metadata/decoder.c
index 559820b3..694de811 100644
--- a/plugins/ctf/common/metadata/decoder.c
+++ b/plugins/ctf/common/metadata/decoder.c
@@ -103,6 +103,11 @@ int decode_packet(struct ctf_metadata_decoder *mdec, FILE *in_fp, FILE *out_fp,
 	int ret = 0;
 	const long offset = ftell(in_fp);
 
+	if (offset < 0) {
+		BT_LOGE_ERRNO("Failed to get current metadata file position",
+			".");
+		goto error;
+	}
 	BT_LOGV("Decoding metadata packet: mdec-addr=%p, offset=%ld",
 		mdec, offset);
 	readlen = fread(&header, sizeof(header), 1, in_fp);
@@ -207,20 +212,28 @@ int decode_packet(struct ctf_metadata_decoder *mdec, FILE *in_fp, FILE *out_fp,
 	toread = header.content_size / CHAR_BIT - sizeof(header);
 
 	for (;;) {
-		readlen = fread(buf, sizeof(uint8_t),
-			MIN(sizeof(buf) - 1, toread), in_fp);
+		size_t loop_read;
+
+		loop_read = MIN(sizeof(buf) - 1, toread);
+		readlen = fread(buf, sizeof(uint8_t), loop_read, in_fp);
 		if (ferror(in_fp)) {
 			BT_LOGE("Cannot read metadata packet buffer: "
-				"offset=%ld, read-size=%u",
-				ftell(in_fp), (unsigned int) readlen);
+				"offset=%ld, read-size=%zu",
+				ftell(in_fp), loop_read);
+			goto error;
+		}
+		if (readlen > loop_read) {
+			BT_LOGE("fread returned more byte than expected: "
+				"read-size-asked=%zu, read-size-returned=%zu",
+				loop_read, readlen);
 			goto error;
 		}
 
 		writelen = fwrite(buf, sizeof(uint8_t), readlen, out_fp);
 		if (writelen < readlen || ferror(out_fp)) {
 			BT_LOGE("Cannot write decoded metadata text to buffer: "
-				"read-offset=%ld, write-size=%u",
-				ftell(in_fp), (unsigned int) readlen);
+				"read-offset=%ld, write-size=%zu",
+				ftell(in_fp), readlen);
 			goto error;
 		}
 
-- 
2.34.1