Fix: add missing bound checking in decode_packet

Found by Coverity:

overflow_assign: Assigning overflowed or truncated value (or a value
computed from an overflowed or a truncated value) to toread.

overflow: Subtract operation overflows on operands toread and
readlen. Example values for operands: toread = 268435457, readlen =
9223372037074107386.

overflow_assign: Assigning overflowed or truncated value (or a value
computed from an overflowed or a truncated value) to readlen.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>

diff --git a/plugins/ctf/common/metadata/decoder.c b/plugins/ctf/common/metadata/decoder.c
index 559820b350e953e9e077d6539a842f4910674f4b..694de8113bc4275edfd70d6ef28f259f63ac2137 100644 (file)
--- a/plugins/ctf/common/metadata/decoder.c
+++ b/plugins/ctf/common/metadata/decoder.c
@@ -103,6 +103,11 @@ int decode_packet(struct ctf_metadata_decoder *mdec, FILE *in_fp, FILE *out_fp,
        int ret = 0;
        const long offset = ftell(in_fp);
 
+       if (offset < 0) {
+               BT_LOGE_ERRNO("Failed to get current metadata file position",
+                       ".");
+               goto error;
+       }
        BT_LOGV("Decoding metadata packet: mdec-addr=%p, offset=%ld",
                mdec, offset);
        readlen = fread(&header, sizeof(header), 1, in_fp);
@@ -207,20 +212,28 @@ int decode_packet(struct ctf_metadata_decoder *mdec, FILE *in_fp, FILE *out_fp,
        toread = header.content_size / CHAR_BIT - sizeof(header);
 
        for (;;) {
-               readlen = fread(buf, sizeof(uint8_t),
-                       MIN(sizeof(buf) - 1, toread), in_fp);
+               size_t loop_read;
+
+               loop_read = MIN(sizeof(buf) - 1, toread);
+               readlen = fread(buf, sizeof(uint8_t), loop_read, in_fp);
                if (ferror(in_fp)) {
                        BT_LOGE("Cannot read metadata packet buffer: "
-                               "offset=%ld, read-size=%u",
-                               ftell(in_fp), (unsigned int) readlen);
+                               "offset=%ld, read-size=%zu",
+                               ftell(in_fp), loop_read);
+                       goto error;
+               }
+               if (readlen > loop_read) {
+                       BT_LOGE("fread returned more byte than expected: "
+                               "read-size-asked=%zu, read-size-returned=%zu",
+                               loop_read, readlen);
                        goto error;
                }
 
                writelen = fwrite(buf, sizeof(uint8_t), readlen, out_fp);
                if (writelen < readlen || ferror(out_fp)) {
                        BT_LOGE("Cannot write decoded metadata text to buffer: "
-                               "read-offset=%ld, write-size=%u",
-                               ftell(in_fp), (unsigned int) readlen);
+                               "read-offset=%ld, write-size=%zu",
+                               ftell(in_fp), readlen);
                        goto error;
                }