From: Apple Date: Wed, 13 Aug 2014 17:58:04 +0000 (+0000) Subject: launchd-842.92.1.tar.gz X-Git-Tag: os-x-1094^0 X-Git-Url: https://git.saurik.com/apple/launchd.git/commitdiff_plain/5f168eafe31b32dca31f253a9ab3242312a6c409 launchd-842.92.1.tar.gz --- diff --git a/liblaunch/liblaunch.c b/liblaunch/liblaunch.c index 6cef3dd..67a0e07 100644 --- a/liblaunch/liblaunch.c +++ b/liblaunch/liblaunch.c @@ -788,6 +788,10 @@ launch_data_unpack(void *data, size_t data_size, int *fds, size_t fd_cnt, size_t launch_data_t r = data + *data_offset; size_t i, tmpcnt; + //Check for integer underflow + if (data_size < *data_offset) + return NULL; + if ((data_size - *data_offset) < sizeof(struct _launch_data)) return NULL; *data_offset += sizeof(struct _launch_data); @@ -796,6 +800,13 @@ launch_data_unpack(void *data, size_t data_size, int *fds, size_t fd_cnt, size_t case LAUNCH_DATA_DICTIONARY: case LAUNCH_DATA_ARRAY: tmpcnt = big2wire(r->_array_cnt); + + //Check for integer overflows + if (tmpcnt > SIZE_MAX / sizeof(uint64_t)) { + errno = EAGAIN; + return NULL; + } + if ((data_size - *data_offset) < (tmpcnt * sizeof(uint64_t))) { errno = EAGAIN; return NULL; diff --git a/src/core.c b/src/core.c index 61c4c33..4130842 100644 --- a/src/core.c +++ b/src/core.c @@ -9735,6 +9735,7 @@ job_mig_init_session(job_t j, name_t session_type, mach_port_t asport) if (j->mgr->session_initialized) { job_log(j, LOG_ERR, "Tried to initialize an already setup session!"); kr = BOOTSTRAP_NOT_PRIVILEGED; + return kr; } else if (strcmp(session_type, VPROCMGR_SESSION_LOGINWINDOW) == 0) { jobmgr_t jmi; diff --git a/src/log.c b/src/log.c index 1bd8b49..95a29ff 100644 --- a/src/log.c +++ b/src/log.c @@ -347,6 +347,11 @@ launchd_log_forward(uid_t forward_uid, gid_t forward_gid, vm_offset_t inval, mac break; } + if (lm_walk->obj_sz < sizeof(struct logmsg_s)) { + launchd_syslog(LOG_WARNING, "Received bytes %llu are less than expected bytes %lu.", lm_walk->obj_sz, sizeof(struct logmsg_s)); + break; + } + if (!(lm = malloc(lm_walk->obj_sz))) { launchd_syslog(LOG_WARNING, "Failed to allocate %llu bytes for log message with %u bytes left in forwarded data. Ignoring remaining messages.", lm_walk->obj_sz, data_left); break;