From aabf1754d6cfd5bb5a596a03eedbc1709a00df0a Mon Sep 17 00:00:00 2001
From: Jiachen Fan <fanjiachen3@huawei.com>
Date: Wed, 16 Dec 2020 15:40:24 +0800
Subject: [PATCH] fix oss-fuzz heap-overflow

---
 ...on-t-attempt-to-index-into-an-invali.patch | 35 +++++++++++
 ...ug-introduced-with-imap-offset-check.patch | 47 ++++++++++++++
 ...ress-to-uintptr_t-so-that-the-correc.patch | 24 +++++++
 0005-Fix-Fuzz-buffer-overflow.patch           | 62 +++++++++++++++++++
 sleuthkit.spec                                | 12 +++-
 5 files changed, 179 insertions(+), 1 deletion(-)
 create mode 100644 0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch
 create mode 100644 0003-Fix-bug-introduced-with-imap-offset-check.patch
 create mode 100644 0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch
 create mode 100644 0005-Fix-Fuzz-buffer-overflow.patch

diff --git a/0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch b/0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch
new file mode 100644
index 0000000..6e570e3
--- /dev/null
+++ b/0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch
@@ -0,0 +1,35 @@
+From 77a5b8bf749d059ed3966dc7b6c4a67d265fc69b Mon Sep 17 00:00:00 2001
+From: esaunders <esaunders@basistech.com>
+Date: Tue, 3 Dec 2019 17:28:38 -0500
+Subject: [PATCH 2/2] Ensure that we don't attempt to index into an invalid
+ offset in imap_buf.
+
+---
+ tsk/fs/ext2fs.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/tsk/fs/ext2fs.c b/tsk/fs/ext2fs.c
+index 5a480856..14715c11 100755
+--- a/tsk/fs/ext2fs.c
++++ b/tsk/fs/ext2fs.c
+@@ -1051,6 +1051,19 @@ ext2fs_inode_walk(TSK_FS_INFO * fs, TSK_INUM_T start_inum,
+             grp_num * tsk_getu32(fs->endian,
+             ext2fs->fs->s_inodes_per_group) + 1;
+ 
++        /*
++         * Ensure that inum - ibase refers to a valid offset in imap_buf.
++         */
++        if ((inum - ibase) > fs->block_size) {
++            tsk_release_lock(&ext2fs->lock);
++            free(dino_buf);
++            tsk_error_reset();
++            tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);
++            tsk_error_set_errstr("%s: Invalid offset into imap_buf (inum %" PRIuINUM " - ibase %" PRIuINUM ")",
++                myname, inum, ibase);
++            return 1;
++        }
++
+         /*
+          * Apply the allocated/unallocated restriction.
+          */
+-- 
diff --git a/0003-Fix-bug-introduced-with-imap-offset-check.patch b/0003-Fix-bug-introduced-with-imap-offset-check.patch
new file mode 100644
index 0000000..7d55f4c
--- /dev/null
+++ b/0003-Fix-bug-introduced-with-imap-offset-check.patch
@@ -0,0 +1,47 @@
+From f7a20cf162a02a4ce5301eb6b27bbc53fd5998b5 Mon Sep 17 00:00:00 2001
+From: Brian Carrier <carrier@sleuthkit.org>
+Date: Wed, 29 Apr 2020 15:47:01 -0400
+Subject: [PATCH] Fix bug introduced with imap offset check
+
+---
+ tsk/fs/ext2fs.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/tsk/fs/ext2fs.c b/tsk/fs/ext2fs.c
+index 45dd18c2..1f56c943 100755
+--- a/tsk/fs/ext2fs.c
++++ b/tsk/fs/ext2fs.c
+@@ -841,6 +841,20 @@ ext2fs_dinode_copy(EXT2FS_INFO * ext2fs, TSK_FS_META * fs_meta,
+         grp_num * tsk_getu32(fs->endian,
+         ext2fs->fs->s_inodes_per_group) + fs->first_inum;
+ 
++
++    /*
++     * Ensure that inum - ibase refers to a valid bit offset in imap_buf.
++     */
++    if ((inum - ibase) > fs->block_size*8) {
++        tsk_release_lock(&ext2fs->lock);
++        tsk_error_reset();
++        tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);
++        tsk_error_set_errstr("ext2fs_dinode_copy: Invalid offset into imap_buf (inum %" PRIuINUM " - ibase %" PRIuINUM ")",
++            inum, ibase);
++        return 1;
++    }
++
++
+     /*
+      * Apply the allocated/unallocated restriction.
+      */
+@@ -1052,9 +1066,9 @@ ext2fs_inode_walk(TSK_FS_INFO * fs, TSK_INUM_T start_inum,
+             ext2fs->fs->s_inodes_per_group) + 1;
+ 
+         /*
+-         * Ensure that inum - ibase refers to a valid offset in imap_buf.
++         * Ensure that inum - ibase refers to a valid bit offset in imap_buf.
+          */
+-        if ((inum - ibase) > fs->block_size) {
++        if ((inum - ibase) > fs->block_size*8) {
+             tsk_release_lock(&ext2fs->lock);
+             free(dino_buf);
+             tsk_error_reset();
+-- 
diff --git a/0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch b/0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch
new file mode 100644
index 0000000..5a16454
--- /dev/null
+++ b/0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch
@@ -0,0 +1,24 @@
+From 109ca428154925f6e031fbc817b48e9dc578f8db Mon Sep 17 00:00:00 2001
+From: esaunders <esaunders@basistech.com>
+Date: Tue, 14 Jan 2020 15:45:44 -0500
+Subject: [PATCH] Cast attrseq address to uintptr_t so that the correct type
+ can be inferred for the + operator.
+
+---
+ tsk/fs/ntfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tsk/fs/ntfs.c b/tsk/fs/ntfs.c
+index 837033ea..eeff809e 100755
+--- a/tsk/fs/ntfs.c
++++ b/tsk/fs/ntfs.c
+@@ -1770,7 +1770,7 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs,
+         // sanity check on bounds of attribute. Prevents other
+         // issues later on that use attr->len for bounds checks.
+         if (((uintptr_t) attr + tsk_getu32(fs->endian,
+-                               attr->len)) > (uintptr_t) (a_attrseq + len)) {
++                               attr->len)) > (uintptr_t)a_attrseq + len) {
+             break;
+         }
+ 
+-- 
diff --git a/0005-Fix-Fuzz-buffer-overflow.patch b/0005-Fix-Fuzz-buffer-overflow.patch
new file mode 100644
index 0000000..b719e0b
--- /dev/null
+++ b/0005-Fix-Fuzz-buffer-overflow.patch
@@ -0,0 +1,62 @@
+diff -Nur sleuthkit-4.6.7/tsk/fs/ext2fs.c sleuthkit-4.6.7.new/tsk/fs/ext2fs.c
+--- sleuthkit-4.6.7/tsk/fs/ext2fs.c	2020-12-16 14:43:46.929902964 +0800
++++ sleuthkit-4.6.7.new/tsk/fs/ext2fs.c	2020-12-16 14:54:44.211056190 +0800
+@@ -1021,8 +1021,10 @@
+     if ((fs_file = tsk_fs_file_alloc(fs)) == NULL)
+         return 1;
+     if ((fs_file->meta =
+-            tsk_fs_meta_alloc(EXT2FS_FILE_CONTENT_LEN)) == NULL)
++            tsk_fs_meta_alloc(EXT2FS_FILE_CONTENT_LEN)) == NULL) {
++        tsk_fs_file_close(fs_file);
+         return 1;
++    }
+ 
+     // we need to handle fs->last_inum specially because it is for the
+     // virtual ORPHANS directory.  Handle it outside of the loop.
+@@ -1038,6 +1040,7 @@
+         ext2fs->inode_size >
+         sizeof(ext2fs_inode) ? ext2fs->inode_size : sizeof(ext2fs_inode);
+     if ((dino_buf = (ext2fs_inode *) tsk_malloc(size)) == NULL) {
++        tsk_fs_file_close(fs_file);
+         return 1;
+     }
+ 
+@@ -1058,6 +1061,7 @@
+ 
+         if (ext2fs_imap_load(ext2fs, grp_num)) {
+             tsk_release_lock(&ext2fs->lock);
++            tsk_fs_file_close(fs_file);
+             free(dino_buf);
+             return 1;
+         }
+@@ -1068,8 +1072,9 @@
+         /*
+          * Ensure that inum - ibase refers to a valid bit offset in imap_buf.
+          */
+-        if ((inum - ibase) > fs->block_size*8) {
++        if ((inum - ibase) >= fs->block_size*8) {
+             tsk_release_lock(&ext2fs->lock);
++            tsk_fs_file_close(fs_file);
+             free(dino_buf);
+             tsk_error_reset();
+             tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);
+@@ -1120,7 +1125,7 @@
+          * to the application.
+          */
+         if (ext2fs_dinode_copy(ext2fs, fs_file->meta, inum, dino_buf)) {
+-            tsk_fs_meta_close(fs_file->meta);
++            tsk_fs_file_close(fs_file);
+             free(dino_buf);
+             return 1;
+         }
+diff -Nur sleuthkit-4.6.7/tsk/fs/unix_misc.c sleuthkit-4.6.7.new/tsk/fs/unix_misc.c
+--- sleuthkit-4.6.7/tsk/fs/unix_misc.c	2019-08-03 04:20:57.000000000 +0800
++++ sleuthkit-4.6.7.new/tsk/fs/unix_misc.c	2020-12-16 14:56:46.852764086 +0800
+@@ -180,6 +180,7 @@
+             }
+             tsk_error_set_errstr2("unix_make_data_run_indir: Block %"
+                 PRIuDADDR, addr);
++            free(data_run);
+             return -1;
+         }
+     }
diff --git a/sleuthkit.spec b/sleuthkit.spec
index 4c57bf2..f11d76c 100644
--- a/sleuthkit.spec
+++ b/sleuthkit.spec
@@ -1,12 +1,16 @@
 Name:           sleuthkit
 Version:        4.6.7
-Release:        3
+Release:        4
 Summary:        Tools for file system and volume forensic analysis
 License:        CPL and IBM and GPLv2+
 URL:            http://www.sleuthkit.org
 Source0:        https://github.com/sleuthkit/sleuthkit/releases/download/sleuthkit-%{version}/sleuthkit-%{version}.tar.gz
 
 Patch1:         0001-MEMORYLEAK-DOS-LOAD-EXT-TABLE.patch
+Patch2:         0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch
+Patch3:         0003-Fix-bug-introduced-with-imap-offset-check.patch
+Patch4:         0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch
+Patch5:         0005-Fix-Fuzz-buffer-overflow.patch
 
 BuildRequires:  gcc-c++ afflib-devel >= 3.3.4 libewf-devel perl-generators sqlite-devel
 
@@ -81,6 +85,12 @@ sed -i.rpath 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
 %{_mandir}/man1/*
 
 %changelog
+* Tue Dec 15 2020 Jiachen Fan <fanjiachen3@huawei.com> - 4.6.7-4
+- fix oss-fuzz heap over flow
+
+* Wed Dec 9 2020 Jiachen Fan <fanjiachen3@huawei.com> - 4.6.7-3
+- fix oss-fuzz memory leak
+
 * Fri Feb 21 2020 wangzhishun <wangzhishun1@huawei.com> - 4.6.7-2
 - Package init