Validate that UDIFBlock data length matches the size and reported number of chunks.

chrome/utility/safe_browsing/mac/udif.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/utility/safe_browsing/mac/udif.h"
 
 #include <CoreFoundation/CoreFoundation.h>
 #include <bzlib.h>
 #include <libkern/OSByteOrder.h>
 #include <uuid/uuid.h>
@@ skipping 172 matching lines @@
   ConvertBigEndian(&block->chunk_count);
   // Note: This deliberately does not swap the chunks themselves.
 }
 
 // UDIFBlock takes a raw, big-endian block data pointer and stores, in host
 // endian, the data for both the block and the chunk.
 class UDIFBlock {
  public:
   UDIFBlock() : block_() {}
 
-  bool ParseBlockData(const UDIFBlockData* block_data, uint16_t sector_size) {
+  bool ParseBlockData(const UDIFBlockData* block_data,
+                      size_t block_data_size,
+                      uint16_t sector_size) {
+    if (block_data_size < sizeof(block_)) {
+      DLOG(ERROR) << "UDIF block data is smaller than expected";
+      return false;
+    }
+
     block_ = *block_data;
     ConvertBigEndian(&block_);
 
     // Make sure the number of sectors doesn't overflow.
     auto block_size = base::CheckedNumeric<size_t>(sector_count()) *
                       sector_size;
     if (!block_size.IsValid()) {
       DLOG(ERROR) << "UDIF block size overflows";
       return false;
     }
 
+    // Make sure the block data contains the reported number of chunks.
+    auto block_and_chunks_size =
+        (base::CheckedNumeric<size_t>(sizeof(UDIFBlockChunk)) *
+         block_.chunk_count) +
+        sizeof(block_);
+    if (!block_and_chunks_size.IsValid() ||
+        block_data_size < block_and_chunks_size.ValueOrDie()) {
+      DLOG(ERROR) << "UDIF block does not contain reported number of chunks, "
+                  << block_and_chunks_size.ValueOrDie() << " bytes expected, "
+                  << "got " << block_data_size;
+      return false;
+    }
+
     // Make sure that the chunk data isn't larger than the block reports.
     base::CheckedNumeric<size_t> chunk_sectors(0);
     for (uint32_t i = 0; i < block_.chunk_count; ++i) {
       chunks_.push_back(block_data->chunks[i]);
       UDIFBlockChunk* chunk = &chunks_[i];
       ConvertBigEndian(chunk);
 
       chunk_sectors += chunk->sector_count;
       if (!chunk_sectors.IsValid() ||
           chunk_sectors.ValueOrDie() > sector_count()) {
@@ skipping 264 matching lines @@
     if (!data) {
       DLOG(ERROR) << "Skipping block " << i
                   << " because it has no Data section";
       continue;
     }
 
     // Copy the block table out of the plist.
     std::unique_ptr<UDIFBlock> block(new UDIFBlock());
     if (!block->ParseBlockData(
             reinterpret_cast<const UDIFBlockData*>(CFDataGetBytePtr(data)),
+            base::checked_cast<size_t>(CFDataGetLength(data)),
             block_size_)) {
       DLOG(ERROR) << "Failed to parse UDIF block data";
       return false;
     }
 
     if (block->signature() != UDIFBlockData::kSignature) {
       DLOG(ERROR) << "Skipping block " << i << " because its signature does not"
                   << " match, is 0x" << std::hex << block->signature();
       continue;
     }
@@ skipping 337 matching lines @@
                 << chunk_->compressed_offset;
     return false;
   }
   return true;
 }
 
 }  // namespace
 
 }  // namespace dmg
 }  // namespace safe_browsing