Extra checking to prevent loop counter from wrapping around

[kevinbackhouse]

Fixes: GHSA-hqjh-hpv8-8r9p

The bug is this loop condition in CrwMap::decodeArray. The loop counter, c, is a uint16_t, so if the component size is greater than 2 * 0xffff then c will wrap around and the loop won't terminate.

There are 3 commits:

1. Regression test
2. Fix for GHSA-hqjh-hpv8-8r9p
3. Defensive fixes for similar looking loop conditions

So the 3rd commit is optional. I'll add comments to the code review explaining those changes.

[kevinbackhouse]

Unfortunately, this code doesn't seem to be covered by any of our tests. But I am pretty sure that if this loop doesn't terminate early then, on the final iteration of the loop, this array access will attempt to access blocksMap_[-1]. Since all this code is doing is preloading blockSize for the next iteration, it is better to just load it at the beginning of the loop.

[kevinbackhouse]

The return type count is long and the parameter type of toString is long, so long is a better choice for the type of i.

[kevinbackhouse]

value is a std::string, so size_t is a better choice for the type of i.

[kevinbackhouse]

This is the fix for GHSA-hqjh-hpv8-8r9p
The value of ciffComponent.size() is bounds-checked before the start of the loop and the correct number of iterations is precomputed.

[kevinbackhouse]

The number 50 looks wrong to me. If c == 23 and n == 3 then the read below will read the 6 bytes starting at offset 46. Therefore the size needs to be at least 52.

[kevinbackhouse]

input is a std::string, so size_t is a better type for i.

[kevinbackhouse]

Make sure that input.length() - 4 cannot overflow.

[kevinbackhouse]

The subtraction bytes.size() - 3 could overflow. i + 3 cannot, because i is initially 0 and only incremented by 1 on each loop iteration.

[kevinbackhouse]

Hmm. I just realized that my logic that i + 3 cannot overflow doesn't work here because i is incremented with a += in this loop. I'll add another commit to fix it.

[kevinbackhouse]

Make sure that value.count() doesn't exceed the range of a uint16_t.

[kevinbackhouse]

stringValue is a std::string, so size_t is a better choice for i.

[kevinbackhouse]

The type of records[i].size is uint16_t, so uint16_t is a better choice for k.

[kevinbackhouse]

The type of bytes.size() is size_t, so size_t is a better choice for i.

[kevinbackhouse]

Prevent integer overflow in bytes.size() - 3 below.

[kevinbackhouse]

I used two CodeQL queries to find loop conditions similar to the original bug. Both queries have quite a few false positives, so I ignored some of the results.

The first query looks for loop conditions of the form a < b where the value of b could be larger than the type of a is capable of representing. For example: a is a uint16_t and b is a size_t.

import cpp
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils

from Loop loop, RelationalOperation cmp, Expr a, Expr b, LocalVariable v
where loop.getCondition().getAChild*() = cmp
and a = cmp.getLesserOperand()
and b = cmp.getGreaterOperand()
and exprMaxVal(a) < upperBound(b.getFullyConverted())
and a.getAChild*() = v.getAnAccess()
select cmp, a, b

The second query looks for loop conditions that do arithmetic in the comparison. For example: a < size-10.

import cpp

// Find loop conditions like this: `while (a < size-10)`.
// Conditions like that are often an overflow risk.
from Loop loop, RelationalOperation cmp, BinaryArithmeticOperation binop
where
  loop.getCondition().getAChild*() = cmp and
  binop = cmp.getAnOperand() and
  not binop.isConstant() and
  // Ignore results in the standard libraries and in the xmpsdk subdirectory.
  exists (string path |
    path = cmp.getLocation().getFile().getRelativePath() and
    not path.matches("xmpsdk/%"))
select binop, "Arithmetic in loop condition."