1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
From: Takashi Iwai <tiwai@suse.com>
Date: Thu, 17 Mar 2016 07:51:23 +0100
Subject: prevent buffer overflow in path_name() (CVE-2016-2324)
Using int type for string sizes in path_name() allows a remotely
triggered buffer overflow if arithmetic wraps around. Use size_t instead
and bail out if resulting size exceeds INT_MAX.
---
revision.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
--- a/revision.c
+++ b/revision.c
@@ -20,14 +20,20 @@
{
const struct name_path *p;
char *n, *m;
- int nlen = strlen(name);
- int len = nlen + 1;
+ size_t nlen = strlen(name);
+ size_t len = nlen + 1;
+ if (len >= INT_MAX)
+ goto error;
for (p = path; p; p = p->up) {
if (p->elem_len)
len += p->elem_len + 1;
+ if (len >= INT_MAX)
+ goto error;
}
n = xmalloc(len);
+ if (!n)
+ goto error;
m = n + len - (nlen + 1);
memcpy(m, name, nlen + 1);
for (p = path; p; p = p->up) {
@@ -38,6 +44,14 @@
}
}
return n;
+
+ error:
+ /* FIXME: better to return an error, but the caller of this function
+ * doesn't do any NULL-checks, so it's safer to exit forcibly
+ */
+ exit(1);
+
+ return NULL;
}
static int show_path_component_truncated(FILE *out, const char *name, int len)
|
