card: Avoid integer overflows

Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17007
2019-10-01 11:11:29 +02:00 · 2019-10-01 11:11:29 +02:00 · 5490d73f31
parent 34bd879400
commit 5490d73f31
1 changed files with 6 additions and 0 deletions
--- a/src/libopensc/card.c
+++ b/src/libopensc/card.c
@ -28,6 +28,7 @@
 #include <unistd.h>
 #endif
 #include <string.h>
+#include <limits.h>

 #include "reader-tr03119.h"
 #include "internal.h"
@ -655,6 +656,11 @@ int sc_read_binary(sc_card_t *card, unsigned int idx,
 				LOG_TEST_RET(card->ctx, r, "sc_read_binary() failed");
 			}
 			p += r;
+			if ((bytes_read > INT_MAX - r) || idx > UINT_MAX - r) {
+				/* `bytes_read + r` or `idx + r` would overflow */
+				sc_unlock(card);
+				LOG_FUNC_RETURN(card->ctx, SC_ERROR_OFFSET_TOO_LARGE);
+			}
 			idx += r;
 			bytes_read += r;
 			count -= r;