Fix heap overflow in ARM.

In ARM the pointer returned by yr_notebook_alloc was being rounded up to a 4-bytes boundary, but the size of the buffer was not increased accordingly. This means the caller of yr_notebook_alloc could receive a buffer that is 1 to 3 bytes smaller than the requested sized.
VirusTotal · Apr 26, 2022 · 037c536 · 037c536
1 parent 457a03a
commit 037c536
Showing 1 changed file with 7 additions and 11 deletions.
diff --git a/libyara/notebook.c b/libyara/notebook.c
@@ -140,6 +140,13 @@ int yr_notebook_destroy(YR_NOTEBOOK* notebook)
 //
 void* yr_notebook_alloc(YR_NOTEBOOK* notebook, size_t size)
 {
+  // In ARM make sure the buffer's size is rounded up to a multiple of 4,
+  // which also implies that the returned pointers are aligned to 4 bytes.
+
+#if defined(__arm__)
+  size = (size + 3) & ~0x3;
+#endif
+
   // The requested memory size can't be larger than a notebook's page.
   assert(size <= notebook->page_size);
 
@@ -160,17 +167,6 @@ void* yr_notebook_alloc(YR_NOTEBOOK* notebook, size_t size)
 
   void* ptr = notebook->page_list_head->data + notebook->page_list_head->used;
 
-// In ARM make sure the alignment of the returned buffer is 4 bytes.
-#if defined(__arm__)
-  uintptr_t misalignment = (uintptr_t) ptr & 3;
-
-  if (misalignment)
-  {
-    size += 4 - misalignment;
-    ptr += 4 - misalignment;
-  }
-#endif
-
   notebook->page_list_head->used += size;
 
   return ptr;