Commit 7b9e4f1b4 for clamav.net
commit 7b9e4f1b4244cbaac4eb6b1234c4a4e26c83b9f7
Author: Val S. <micasnyd@cisco.com>
Date: Mon Jun 30 10:46:53 2025 -0400
Fix out of bounds read in UDF parser (#1522)
A pointer representing file identifiers and file entries may be added to
a list for later processing before validating the length of the data is
within the given volume descriptor size.
The fix moves the size check to occur before adding it to the list.
Issue reported by volticks, @movx64 on Twitter working with Trend Micro
Zero Day Initiative.
diff --git a/libclamav/udf.c b/libclamav/udf.c
index 11cc0074b..38599a78c 100644
--- a/libclamav/udf.c
+++ b/libclamav/udf.c
@@ -684,17 +684,21 @@ static cl_error_t findFileIdentifiers(const uint8_t *const input, PointerList *p
size_t fidDescSize;
while (FILE_IDENTIFIER_DESCRIPTOR == tagId) {
+ /* This is how far into the Volume we already are. */
+ bufUsed = buffer - input;
+ fidDescSize = getFileIdentifierDescriptorSize((FileIdentifierDescriptor *)buffer);
+
+ /* Check that it's safe to save the file identifier pointer for later use */
+ if (VOLUME_DESCRIPTOR_SIZE < (fidDescSize + bufUsed)) {
+ break;
+ }
- /*Check that it's safe to read the header. */
+ /* Add the buffer to the list of file identifier pointers */
if (CL_SUCCESS != (ret = insertPointer(pfil, buffer))) {
goto done;
}
- /*This is how far into the Volume we already are.*/
- bufUsed = buffer - input;
- fidDescSize = getFileIdentifierDescriptorSize((FileIdentifierDescriptor *)buffer);
-
- /* Check that it's safe to read the header for the next FileIdentifierDescriptor */
+ /* Check that it's safe to read the TagID from the header of the next FileIdentifierDescriptor (if one exists) */
if (VOLUME_DESCRIPTOR_SIZE < (fidDescSize + bufUsed + FILE_IDENTIFIER_DESCRIPTOR_SIZE_KNOWN)) {
break;
}
@@ -716,15 +720,21 @@ static cl_error_t findFileEntries(const uint8_t *const input, PointerList *pfil)
size_t fedDescSize;
while (FILE_ENTRY_DESCRIPTOR == tagId) {
+ /* This is how far into the Volume we already are. */
+ bufUsed = buffer - input;
+ fedDescSize = getFileEntryDescriptorSize((FileEntryDescriptor *)buffer);
+
+ /* Check that it's safe to save the file identifier pointer for later use */
+ if (VOLUME_DESCRIPTOR_SIZE < (fedDescSize + bufUsed)) {
+ break;
+ }
+
+ /* Add the buffer to the list of file entry pointers */
if (CL_SUCCESS != (ret = insertPointer(pfil, buffer))) {
goto done;
}
- /*This is how far into the Volume we already are.*/
- bufUsed = buffer - input;
- fedDescSize = getFileEntryDescriptorSize((FileEntryDescriptor *)buffer);
-
- /* Check that it's safe to read the header for the next FileEntryDescriptor */
+ /* Check that it's safe to read the TagID from the header of the next FileEntryDescriptor (if one exists) */
if (VOLUME_DESCRIPTOR_SIZE < (fedDescSize + bufUsed + FILE_ENTRY_DESCRIPTOR_SIZE_KNOWN)) {
break;
}