From 1ed58953b7a50c9a5e994e3d8d35055bef007fcd Mon Sep 17 00:00:00 2001
From: tsteven4 <13596209+tsteven4@users.noreply.github.com>
Date: Sun, 5 Dec 2021 15:30:05 -0700
Subject: [PATCH] harden gbfgetcstr, gbfgetpstr. (#782)

Hangs were detected with afl and the gdb reader and gbfgetcstr.  One such
hang reads a fuzzed 32 bit url count with FREAD_i32, and then proceeds
to fetch that many strings with FREAD_CSTR_AS_QSTR.  This results in
fetches from beyond EOF that are undetected.  gbfgetcstr_old is modified
to throw a fatal error if reading is attempted beyond EOF.

A similar failure was not detected with gbfgetpstr, but it is also
modified to throw a fatal error if reading is attempted beyond EOF.
---
 gbfile.cc | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/gbfile.cc b/gbfile.cc
index cba62e281..b9f8c906c 100644
--- a/gbfile.cc
+++ b/gbfile.cc
@@ -990,10 +990,14 @@ gbfgetcstr_old(gbfile* file)
   for (;;) {
     int c = gbfgetc(file);
 
-    if ((c == 0) || (c == EOF)) {
+    if (c == 0) {
       break;
     }
 
+    if (c == EOF) {
+      fatal("%s: Unexpected end of file (%s)!\n", file->module, file->name);
+    }
+
     if (len == file->buffsz) {
       file->buffsz += 64;
       str = file->buff = (char*) xrealloc(file->buff, file->buffsz + 1);
@@ -1030,17 +1034,20 @@ gbfgetnativecstr(gbfile* file)
 }
 
 /*
- * gbfgetpstr: Reads a pascal string (first byte is length) from file.
- *             The result is a temporary allocated entity: use it or free it!
+ * gbfgetpstr: Reads a pascal short string (first byte is length) from file.
  */
 
 QString
 gbfgetpstr(gbfile* file)
 {
   int len = gbfgetc(file);
+  if (len == EOF) {
+    fatal("%s: Unexpected end of file (%s)!\n", file->module, file->name);
+  }
   QByteArray ba;
   ba.resize(len);
-  gbfread(ba.data(), 1, len, file);
+  is_fatal((gbfread(ba.data(), 1, len, file) != (gbsize_t) len),
+           "%s: Unexpected end of file (%s)!\n", file->module, file->name);
 
   return QString(ba);
 }
-- 
2.30.2