Package: libmysofa / 0.6~dfsg0-3

CVE-2019-10672.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
Description: backported fixes for CVE-2019-10672
Author: Christian Höne/IOhannes m zmölnig
Origin: upstream
Applied-Upstream: d39a171e9c6a1c44dbdf43f9db6c3fbd887e38c1, 83d21e38f4ed65c2e3d76fc792bdf4abde6ec148, 05ff8a6903c8a357c6d6fd921276732767741670, 2ed84bbcf261629adf16c56a5b4532670084842e
Last-Update: 2019-04-01
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- libmysofa.orig/src/hdf/btree.c
+++ libmysofa/src/hdf/btree.c
@@ -308,8 +308,11 @@
 					b = i / elements;
 					x = i % elements + start[0];
 					if (x < sx) {
+
 						j = x * size + b;
-						((char*)data->data)[j] = output[i];
+						if (j >= 0 && j < data->data_len) {
+							((char*) data->data)[j] = output[i];
+						}
 					}
 				}
 				break;
@@ -321,7 +324,9 @@
 					x = x / dy + start[0];
 					if (y < sy && x < sx) {
 						j = ((x * sy + y) * size) + b;
-						((char*)data->data)[j] = output[i];
+						if (j >= 0 && j < data->data_len) {
+							((char*) data->data)[j] = output[i];
+						}
 					}
 				}
 				break;
@@ -334,7 +339,9 @@
 					x = (x / dzy) + start[0];
 					if (z < sz && y < sy && x < sx) {
 						j = (x * szy + y * sz + z) * size + b;
-						((char*)data->data)[j] = output[i];
+						if (j >= 0 && j < data->data_len) {
+							((char*) data->data)[j] = output[i];
+						}
 					}
 				}
 				break;
--- libmysofa.orig/src/hdf/dataobject.c
+++ libmysofa/src/hdf/dataobject.c
@@ -665,13 +665,14 @@
 
 	if(name_size>0x1000)
 		return MYSOFA_NO_MEMORY;
-	name = malloc(name_size);
+	name = malloc(name_size + 1);
 	if(!name)
 		return MYSOFA_NO_MEMORY;
 	if(fread(name, 1, name_size, reader->fhd)!=name_size) {
 		free(name);
 		return errno;
 	}
+	name[name_size] = 0;
 	log("  attribute name %s\n", name);
 
 	if (flags & 3) {
--- libmysofa.orig/src/hdf/fractalhead.c
+++ libmysofa/src/hdf/fractalhead.c
@@ -180,6 +180,12 @@
 			log("\nfractal head type 1 length %4lX name %s address %lX\n", length, name, heap_header_address);
 
 			dir = malloc(sizeof(struct DIR));
+			if(!dir) {
+				free(name);
+				return MYSOFA_NO_MEMORY;
+			}
+			memset(dir,0,sizeof(*dir));
+
 			dir->next = dataobject->directory;
 			dataobject->directory = dir;