bfabiszewski/libmobi

Bug: Integer overflow parsing record offsets

zer1t0 opened this issue · 0 comments

There is an error parsing the records offsets in mobi_load_rec. If the next record offset is lower than the previous that results in a negative size that overflows the unsigned integer, so the malloc in mobi_load_recdata can be enormous.

        if (curr->next != NULL) {
            next = curr->next;
            size = next->offset - curr->offset; // <- integer overflow here
        } else {
           ....stripped
        }

        curr->size = size;
        ret = mobi_load_recdata(curr, file); // -> malloc(curr->size); -> enormous malloc

Here is sample that shows this behaviour:
sample.zip