diff options
author | Frank Chen <frankchn@google.com> | 2018-04-04 16:26:25 -0700 |
---|---|---|
committer | TensorFlower Gardener <gardener@tensorflow.org> | 2018-04-04 16:29:02 -0700 |
commit | d107fee1e4a9a4462f01564798d345802acc2aef (patch) | |
tree | 3503e096e959947b07576412a548633b8ff1a100 /tensorflow/core/lib/io/format.cc | |
parent | f8acfb01792886274778d9ad7a9d990cbef14141 (diff) |
Check that n + kBlockTrailerSize does not overflow before reading a block
PiperOrigin-RevId: 191666300
Diffstat (limited to 'tensorflow/core/lib/io/format.cc')
-rw-r--r-- | tensorflow/core/lib/io/format.cc | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/tensorflow/core/lib/io/format.cc b/tensorflow/core/lib/io/format.cc index 64852943ad..0c24c660a2 100644 --- a/tensorflow/core/lib/io/format.cc +++ b/tensorflow/core/lib/io/format.cc @@ -13,6 +13,8 @@ See the License for the specific language governing permissions and limitations under the License. ==============================================================================*/ +#include <limits> + #include "tensorflow/core/lib/io/format.h" #include "tensorflow/core/lib/core/coding.h" @@ -84,6 +86,11 @@ Status ReadBlock(RandomAccessFile* file, const BlockHandle& handle, // Read the block contents as well as the type/crc footer. // See table_builder.cc for the code that built this structure. size_t n = static_cast<size_t>(handle.size()); + + if (kBlockTrailerSize > std::numeric_limits<size_t>::max() - n) { + return errors::DataLoss("handle.size() too big"); + } + char* buf = new char[n + kBlockTrailerSize]; StringPiece contents; Status s = file->Read(handle.offset(), n + kBlockTrailerSize, &contents, buf); |