fann_io: fix integer overflows in the layer_size parser

If layer_size is zero in the first layer, then ann->num_input will be 4294967295 (-1 cast to unsigned). This easily overflows the neuron buffer on the first fann_run() call, crashing the process. If layer_size is too large, ann->total_neurons will eventually overflow, which will allocate less neurons than needed. This, too, will eventually crash the process when those unallocated neurons are accessed.
Aspheria · May 19, 2018 · 8407854 · 8407854
1 parent c8164c1
commit 8407854
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/src/fann_io.c b/src/fann_io.c
@@ -21,6 +21,7 @@
 #include <stdlib.h>
 #include <stdarg.h>
 #include <string.h>
+#include <limits.h>
 
 #include "config.h"
 #include "fann.h"
@@ -539,7 +540,9 @@ struct fann *fann_create_from_fd(FILE * conf, const char *configuration_file)
 	/* determine how many neurons there should be in each layer */
 	for(layer_it = ann->first_layer; layer_it != ann->last_layer; layer_it++)
 	{
-		if(fscanf(conf, "%u ", &layer_size) != 1)
+		if(fscanf(conf, "%u ", &layer_size) != 1 ||
+		   layer_size == 0 || layer_size > INT_MAX ||
+		   layer_size > INT_MAX - ann->total_neurons)
 		{
 			fann_error((struct fann_error *) ann, FANN_E_CANT_READ_CONFIG, "layer_sizes", configuration_file);
 			fann_destroy(ann);