Fix a possible crash when loading a malformed logical signature

If the 'hexsig' for an image fuzzy hash subsignature has invalid unicode it may cause a crash. The problem is we fail to allocate an error message in this instance, so when it tries to print that message it gets a NULL dereference. This is not a security issue. Fixes: https://issues.oss-fuzz.com/issues/376331488
Cisco-Talos · Oct 30, 2024 · 89711e1 · 89711e1
1 parent 52b2017
commit 89711e1
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 2 deletions.
diff --git a/libclamav_rust/src/evidence.rs b/libclamav_rust/src/evidence.rs
@@ -209,7 +209,7 @@ pub unsafe extern "C" fn _evidence_add_indicator(
     indicator_type: IndicatorType,
     err: *mut *mut FFIError,
 ) -> bool {
-    let name_str = validate_str_param!(name);
+    let name_str = validate_str_param!(name, err = err);
 
     let mut evidence = ManuallyDrop::new(Box::from_raw(evidence as *mut Evidence));
 

diff --git a/libclamav_rust/src/ffi_util.rs b/libclamav_rust/src/ffi_util.rs
@@ -288,6 +288,13 @@ mod tests {
 ///    let blah = validate_str_param!(blah);
 /// # }
 /// ```
+/// ```edition2018
+/// use util::validate_str_param;
+///
+/// # pub extern "C" fn _my_c_interface(blah: *const c_char) -> sys::cl_error_t {
+///    let blah = validate_str_param!(blah, err = err);
+/// # }
+/// ```
 #[macro_export]
 macro_rules! validate_str_param {
     ($ptr:ident) => {
@@ -305,4 +312,25 @@ macro_rules! validate_str_param {
             }
         }
     };
+
+    ($ptr:ident, err=$err:ident) => {
+        if $err.is_null() {
+            warn!("{} is NULL", stringify!($err));
+            return false;
+        } else if $ptr.is_null() {
+            warn!("{} is NULL", stringify!($ptr));
+            return false;
+        } else {
+            #[allow(unused_unsafe)]
+            match unsafe { CStr::from_ptr($ptr) }.to_str() {
+                Err(e) => {
+                    warn!("{} is not valid unicode: {}", stringify!($ptr), e);
+
+                    *$err = Box::into_raw(Box::new(e.into()));
+                    return false;
+                }
+                Ok(s) => s,
+            }
+        }
+    };
 }
diff --git a/libclamav_rust/src/fuzzy_hash.rs b/libclamav_rust/src/fuzzy_hash.rs
@@ -181,7 +181,7 @@ pub unsafe extern "C" fn _fuzzy_hash_load_subsignature(
     subsig_id: u32,
     err: *mut *mut FFIError,
 ) -> bool {
-    let hexsig = validate_str_param!(hexsig);
+    let hexsig = validate_str_param!(hexsig, err=err);
 
     let mut hashmap = ManuallyDrop::new(Box::from_raw(fuzzy_hashmap as *mut FuzzyHashMap));