Package: wget / 1.18-5+deb9u3

Fix-a-buffer-overflow-vulnerability.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
From: Tim Ruehsen <tim.ruehsen@gmx.de>
Date: Fri, 5 Apr 2019 11:50:44 +0200
Subject: Fix a buffer overflow vulnerability
Origin: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c,
 https://git.savannah.gnu.org/cgit/wget.git/commit/?id=562eacb76a2b64d5dc80a443f0f739bc9ef76c17
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-5953
Bug-Debian: https://bugs.debian.org/926389

* src/iri.c(do_conversion): Reallocate the output buffer to a larger
  size if it is already full
---
 src/iri.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- a/src/iri.c
+++ b/src/iri.c
@@ -182,9 +182,10 @@ do_conversion (const char *tocode, const
         {
           tooshort++;
           done = len;
-          len = outlen = done + inlen * 2;
-          s = xrealloc (s, outlen + 1);
-          *out = s + done;
+          len = done + inlen * 2;
+          s = xrealloc (s, len + 1);
+          *out = s + done - outlen;
+          outlen += inlen * 2;
         }
       else /* Weird, we got an unspecified error */
         {