Bug: Integer overflow parsing record offsets
zer1t0 opened this issue · 0 comments
zer1t0 commented
There is an error parsing the records offsets in mobi_load_rec. If the next record offset is lower than the previous that results in a negative size that overflows the unsigned integer, so the malloc in mobi_load_recdata can be enormous.
if (curr->next != NULL) {
next = curr->next;
size = next->offset - curr->offset; // <- integer overflow here
} else {
....stripped
}
curr->size = size;
ret = mobi_load_recdata(curr, file); // -> malloc(curr->size); -> enormous malloc
Here is sample that shows this behaviour:
sample.zip