File: Fix-Github-issue-70-A-Integer-Underflow-in-raptor_ur.patch

package info (click to toggle)
raptor2 2.0.15-4%2Bdeb12u1
  • links: PTS
  • area: main
  • in suites: bookworm
  • size: 18,832 kB
  • sloc: ansic: 37,283; sh: 11,996; xml: 6,706; makefile: 2,831; yacc: 2,434; perl: 1,130; lex: 1,070
file content (44 lines) | stat: -rw-r--r-- 1,372 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
From: Dave Beckett <dave@dajobe.org>
Date: Thu, 6 Feb 2025 21:12:37 -0800
Subject: Fix Github issue 70 A) Integer Underflow in
 raptor_uri_normalize_path()
Origin: https://github.com/dajobe/raptor/commit/da7a79976bd0314c23cce55d22495e7d29301c44
Bug: https://github.com/dajobe/raptor/issues/70
Bug-Debian: https://bugs.debian.org/1067896
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57823

(raptor_uri_normalize_path): Return empty buffer if path gets to 0
length
---
 src/raptor_rfc2396.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/raptor_rfc2396.c b/src/raptor_rfc2396.c
index 8cc364f44735..f8ec57986a08 100644
--- a/src/raptor_rfc2396.c
+++ b/src/raptor_rfc2396.c
@@ -351,6 +351,10 @@ raptor_uri_normalize_path(unsigned char* path_buffer, size_t path_len)
           *dest++ = *s++;
         *dest = '\0';
         path_len -= len;
+        if(path_len <= 0) {
+          *path_buffer = '\0';
+          return 0;
+        }
 
         if(p && p < prev) {
           /* We know the previous prev path component and we didn't do
@@ -390,6 +394,10 @@ raptor_uri_normalize_path(unsigned char* path_buffer, size_t path_len)
     /* Remove <component>/.. at the end of the path */
     *prev = '\0';
     path_len -= (s-prev);
+    if(path_len <= 0) {
+      *path_buffer = '\0';
+      return 0;
+    }
   }
 
 
-- 
2.49.0