From 96615ed83d43680bdc75076265848db27452e820 Mon Sep 17 00:00:00 2001 From: OrbisAI Security Date: Sun, 24 May 2026 12:28:28 +0530 Subject: [PATCH] fix: port V-001 security fixes to refactored binary_reader.c This commit merges the security fixes from PR #16 with the upstream refactored codebase. The upstream version had undergone a major refactoring to use binary_utils.h for endianness handling, but lacked the integer overflow protections. Security fixes applied: 1. readCheck(): Replace vulnerable `bufferPos + bytes > bufferSize` with overflow-safe check using separate comparisons 2. BinaryReader_readBytesAt(): Replace vulnerable `offset + count` arithmetic with overflow-safe bounds checking These fixes prevent heap buffer overflow attacks that could occur when integer overflow causes bounds checks to pass incorrectly. Original security fix: 4a6574df (OrbisAI Security) Upstream refactoring: e698eaa3 (Project-Sunshine-Native/cinnamon) Co-Authored-By: Claude Sonnet 4.5 --- src/binary_reader.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/binary_reader.c b/src/binary_reader.c index a18ba179..9f4bfc06 100644 --- a/src/binary_reader.c +++ b/src/binary_reader.c @@ -25,7 +25,7 @@ void BinaryReader_clearBuffer(BinaryReader* reader) { static void readCheck(BinaryReader* reader, void* dest, size_t bytes) { if (reader->buffer != nullptr) { - if (reader->bufferPos + bytes > reader->bufferSize) { + if (reader->bufferPos > reader->bufferSize || bytes > reader->bufferSize - reader->bufferPos) { size_t absPos = reader->bufferBase + reader->bufferPos; fprintf(stderr, "BinaryReader: buffer read error at position 0x%zX (requested %zu bytes, buffer has %zu remaining)\n", absPos, bytes, reader->bufferSize - reader->bufferPos); abort(); @@ -106,7 +106,7 @@ uint8_t* BinaryReader_readBytesAt(BinaryReader* reader, size_t offset, size_t co uint8_t* buf = safeMalloc(count); if (reader->buffer != nullptr) { - if (offset < reader->bufferBase || offset + count > reader->bufferBase + reader->bufferSize) { + if (offset < reader->bufferBase || (offset - reader->bufferBase) > reader->bufferSize || count > reader->bufferSize - (offset - reader->bufferBase)) { fprintf(stderr, "BinaryReader: readBytesAt offset 0x%zX+%zu out of buffer range [0x%zX, 0x%zX)\n", offset, count, reader->bufferBase, reader->bufferBase + reader->bufferSize); abort(); }