diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-09-17 07:55:20 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-09-17 07:56:17 +0000 |
commit | c64caaa6d0cf04cf1a2a90b1b751edef900fd849 (patch) | |
tree | ed5ef97e80d4f253b930cab2e60a6a351022e849 /main/curl/CVE-2019-5481.patch | |
parent | b8ed9736efcaee1cfb71d1c71773d8e62ee169d8 (diff) | |
download | aports-c64caaa6d0cf04cf1a2a90b1b751edef900fd849.tar.bz2 aports-c64caaa6d0cf04cf1a2a90b1b751edef900fd849.tar.xz |
main/curl: security fixes (CVE-2019-5481, CVE-2019-5482)
ref #10793
Diffstat (limited to 'main/curl/CVE-2019-5481.patch')
-rw-r--r-- | main/curl/CVE-2019-5481.patch | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/main/curl/CVE-2019-5481.patch b/main/curl/CVE-2019-5481.patch new file mode 100644 index 0000000000..2aa4952cee --- /dev/null +++ b/main/curl/CVE-2019-5481.patch @@ -0,0 +1,40 @@ +From 9069838b30fb3b48af0123e39f664cea683254a5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 3 Sep 2019 22:59:32 +0200 +Subject: [PATCH] security:read_data fix bad realloc() + +... that could end up a double-free + +CVE-2019-5481 +Bug: https://curl.haxx.se/docs/CVE-2019-5481.html +--- + lib/security.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/lib/security.c b/lib/security.c +index 550ea2da8d..c5e4e135df 100644 +--- a/lib/security.c ++++ b/lib/security.c +@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn, + struct krb5buffer *buf) + { + int len; +- void *tmp = NULL; + CURLcode result; + + result = socket_read(fd, &len, sizeof(len)); +@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn, + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); +- tmp = Curl_saferealloc(buf->data, len); ++ buf->data = Curl_saferealloc(buf->data, len); + } +- if(tmp == NULL) ++ if(!len || !buf->data) + return CURLE_OUT_OF_MEMORY; + +- buf->data = tmp; + result = socket_read(fd, buf->data, len); + if(result) + return result; |