diff options
author | Sergey Lukin <sergej.lukin@gmail.com> | 2016-12-09 08:23:32 +0000 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2016-12-26 09:46:12 +0000 |
commit | ba3dc3d210189d8b88c35c3b6850f54f8041f3fa (patch) | |
tree | b1ecf74c7594105573debcf6ccfd2f67522c03c6 /main/curl/CVE-2016-8618.patch | |
parent | f7fb6eb9c7b2bdc8ac41b605df86bb2fa114e89a (diff) | |
download | aports-3.1-stable.tar.bz2 aports-3.1-stable.tar.xz |
main/curl: security upgrade - fixes #64373.1-stable
CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619,
CVE-2016-8620, CVE-2016-8621 CVE-2016-8622, CVE-2016-8623, CVE-2016-8624
Diffstat (limited to 'main/curl/CVE-2016-8618.patch')
-rw-r--r-- | main/curl/CVE-2016-8618.patch | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/main/curl/CVE-2016-8618.patch b/main/curl/CVE-2016-8618.patch new file mode 100644 index 0000000000..6d4eaaf9d6 --- /dev/null +++ b/main/curl/CVE-2016-8618.patch @@ -0,0 +1,50 @@ +From 31106a073882656a2a5ab56c4ce2847e9a334c3c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Wed, 28 Sep 2016 10:15:34 +0200 +Subject: [PATCH] aprintf: detect wrap-around when growing allocation + +On 32bit systems we could otherwise wrap around after 2GB and allocate 0 +bytes and crash. + +CVE-2016-8618 + +Bug: https://curl.haxx.se/docs/adv_20161102D.html +Reported-by: Cure53 +--- + lib/mprintf.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/lib/mprintf.c b/lib/mprintf.c +index dbedeaa..2c88aa8 100644 +--- a/lib/mprintf.c ++++ b/lib/mprintf.c +@@ -1034,20 +1034,23 @@ static int alloc_addbyter(int output, FILE *data) + } + infop->alloc = 32; + infop->len =0; + } + else if(infop->len+1 >= infop->alloc) { +- char *newptr; ++ char *newptr = NULL; ++ size_t newsize = infop->alloc*2; + +- newptr = realloc(infop->buffer, infop->alloc*2); ++ /* detect wrap-around or other overflow problems */ ++ if(newsize > infop->alloc) ++ newptr = realloc(infop->buffer, newsize); + + if(!newptr) { + infop->fail = 1; + return -1; /* fail */ + } + infop->buffer = newptr; +- infop->alloc *= 2; ++ infop->alloc = newsize; + } + + infop->buffer[ infop->len ] = outc; + + infop->len++; +-- +2.9.3 + |