centos 7
integer weakness #27

2

Weakness Breakdown


Definition:

An integer overflow occurs when the answer to an arithmetic operation exceeds the maximum size of the integer type used to store it. The resulting value will appear to have wrapped around the maximum value and started again at the minimum value. This would look like a clock that represents 13:00 by pointing at 1:00. An attacker can use an integer overflow during a buffer length calculation, which results in the allocated buffer being too small to hold the data copied into it, thus causing a buffer overflow.

Warning code(s):

Unless checked, the resulting number can exceed the expected range.

File Name:

ncompress-4.2.4.4/compress42.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 integer weakness.

 
#ifndef SIG_TYPE
#	define	SIG_TYPE	void (*)()
#endif

#ifndef NOFUNCDEF
	extern	void	*malloc	LARGS((int));
	extern	void	free	LARGS((void *));
#ifndef _IBMR2
	extern	int		open	LARGS((char const *,int,...));
#endif
	extern	int		close	LARGS((int));
	extern	int		read	LARGS((int,void *,int));
	extern	int		write	LARGS((int,void const *,int));
	extern	int		chmod	LARGS((char const *,int));
	extern	int		unlink	LARGS((char const *));
	extern	int		chown	LARGS((char const *,int,int));
	extern	int		utime	LARGS((char const *,struct utimbuf const *));
	extern	char	*strcpy	LARGS((char *,char const *));
	extern	char	*strcat	LARGS((char *,char const *));
	extern	int		strcmp	LARGS((char const *,char const *));
	extern	unsigned strlen	LARGS((char const *));
	extern	void	*memset	LARGS((void *,char,unsigned int));
	extern	void	*memcpy	LARGS((void *,void const *,unsigned int));
	extern	int		atoi	LARGS((char const *));
	extern	void	exit	LARGS((int));
	extern	int		isatty	LARGS((int));
#endif
	
#define	MARK(a)	{ asm(" .globl M.a"); asm("M.a:"); }

#ifdef	DEF_ERRNO
	extern int	errno;
#endif

#include "patchlevel.h"

#undef	min
#define	min(a,b)	((a>b) ? b : a)

#ifndef	IBUFSIZ
#	define	IBUFSIZ	BUFSIZ	/* Defailt input buffer size							*/
#endif
#ifndef	OBUFSIZ
#	define	OBUFSIZ	BUFSIZ	/* Default output buffer size							*/
#endif

#define MAXPATHLEN PATH_MAX 		/* MAXPATHLEN - maximum length of a pathname we allow 	*/
#define	SIZE_INNER_LOOP		256	/* Size of the inter (fast) compress loop			*/
 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.