Sophie

Sophie

distrib > Mageia > 6 > armv5tl > by-pkgid > e292cda8ad33284786d7f1384ee2e82d > files > 3

ming-0.4.5-14.1.mga6.src.rpm

From befb7439c2cf4768bcca09651d6325e8f078e992 Mon Sep 17 00:00:00 2001
From: Sandro Santilli <strk@kbt.io>
Date: Tue, 6 Jun 2017 09:37:10 +0200
Subject: [PATCH 04/29] Guard against buflen integer overflow (CVE-2017-8782)

See #70
---
 util/read.c | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/util/read.c b/util/read.c
index b4296959..892e754d 100644
--- a/util/read.c
+++ b/util/read.c
@@ -20,6 +20,7 @@
  *
  ****************************************************************************/
 
+#include <limits.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -236,23 +237,33 @@ char *readBytes(FILE *f,int size)
 
 char *readString(FILE *f)
 {
-  int len = 0, buflen = 256;
+  unsigned int len = 0, buflen = 256;
   char c, *buf, *p;
 
-  buf = (char *)malloc(sizeof(char)*256);
+  buf = (char *)malloc(sizeof(char)*buflen);
+  if ( ! buf )
+  {
+    fprintf(stderr, "failed allocating %d bytes\n", buflen);
+    exit(-1);
+  }
   p = buf;
 
   while((c=(char)readUInt8(f)) != '\0')
   {
     if(len >= buflen-2)
     {
-      buf = (char *)realloc(buf, sizeof(char)*(buflen+256));
-      if ( ! buf )
+      if ( buflen >= UINT_MAX - 256 )
       {
-        fprintf(stderr, "failed reallocating %d bytes\n", buflen+256);
+        fprintf(stderr, "string null-termination missing after reading %d bytes, giving up\n", buflen);
         exit(-1);
       }
       buflen += 256;
+      buf = (char *)realloc(buf, sizeof(char)*(buflen));
+      if ( ! buf )
+      {
+        fprintf(stderr, "failed allocating %d bytes\n", buflen);
+        exit(-1);
+      }
       p = buf+len;
     }
 
-- 
2.14.3

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional