From 603ae4ed8cd65abf0776ef7f68354a5c24a3411c Mon Sep 17 00:00:00 2001
From: Sebastien GODARD <sysstat@users.noreply.github.com>
Date: Tue, 15 Oct 2019 14:39:33 +0800
Subject: [PATCH] Fix #232: Memory corruption bug due to Integer Overflow in
 remap_struct()

Try to avoid integer overflow when reading a corrupted binary datafile
with sadf.

Upstream-Status: Backport [https://github.com/sysstat/sysstat/commit/83fad9c895d1ac13f76af5883b7451b3302beef5]
CVE: CVE-2019-16167

Signed-off-by: Sebastien GODARD <sysstat@users.noreply.github.com>
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
---
 sa_common.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/sa_common.c b/sa_common.c
index 395c11c..cfa9007 100644
--- a/sa_common.c
+++ b/sa_common.c
@@ -1336,7 +1336,8 @@ int remap_struct(unsigned int gtypes_nr[], unsigned int ftypes_nr[],
 	/* Remap [unsigned] int fields */
 	d = gtypes_nr[1] - ftypes_nr[1];
 	if (d) {
-		if (ftypes_nr[1] * UL_ALIGNMENT_WIDTH < ftypes_nr[1])
+		if (gtypes_nr[0] * ULL_ALIGNMENT_WIDTH +
+		    ftypes_nr[1] * UL_ALIGNMENT_WIDTH < ftypes_nr[1])
 			/* Overflow */
 			return -1;
 
@@ -1365,7 +1366,9 @@ int remap_struct(unsigned int gtypes_nr[], unsigned int ftypes_nr[],
 	/* Remap possible fields (like strings of chars) following int fields */
 	d = gtypes_nr[2] - ftypes_nr[2];
 	if (d) {
-		if (ftypes_nr[2] * U_ALIGNMENT_WIDTH < ftypes_nr[2])
+		if (gtypes_nr[0] * ULL_ALIGNMENT_WIDTH +
+		    gtypes_nr[1] * UL_ALIGNMENT_WIDTH +
+		    ftypes_nr[2] * U_ALIGNMENT_WIDTH < ftypes_nr[2])
 			/* Overflow */
 			return -1;
 
-- 
1.9.1