diff options
Diffstat (limited to 'main/libmspack/CVE-2017-6419.patch')
| -rw-r--r-- | main/libmspack/CVE-2017-6419.patch | 78 |
1 files changed, 0 insertions, 78 deletions
diff --git a/main/libmspack/CVE-2017-6419.patch b/main/libmspack/CVE-2017-6419.patch deleted file mode 100644 index 4945f5fba5..0000000000 --- a/main/libmspack/CVE-2017-6419.patch +++ /dev/null @@ -1,78 +0,0 @@ -diff --git a/mspack/chmd.c b/mspack/chmd.c -index 5a6ef54..1a486c8 100644 ---- a/mspack/chmd.c -+++ b/mspack/chmd.c -@@ -1269,9 +1269,15 @@ static int read_spaninfo(struct mschm_decompressor_p *self, - - /* get the uncompressed length of the LZX stream */ - err = read_off64(length_ptr, data, sys, self->d->infh); -- - sys->free(data); -- return (err) ? MSPACK_ERR_DATAFORMAT : MSPACK_ERR_OK; -+ if (err) return MSPACK_ERR_DATAFORMAT; -+ -+ if (*length_ptr <= 0) { -+ D(("output length is invalid")) -+ return MSPACK_ERR_DATAFORMAT; -+ } -+ -+ return MSPACK_ERR_OK; - } - - /*************************************** -diff --git a/mspack/lzxd.c b/mspack/lzxd.c -index 2281e7b..d164df9 100644 ---- a/mspack/lzxd.c -+++ b/mspack/lzxd.c -@@ -300,8 +300,14 @@ struct lzxd_stream *lzxd_init(struct mspack_system *system, - if (window_bits < 15 || window_bits > 21) return NULL; - } - -+ if (reset_interval < 0 || output_length < 0) { -+ D(("reset interval or output length < 0")) -+ return NULL; -+ } -+ -+ /* round up input buffer size to multiple of two */ - input_buffer_size = (input_buffer_size + 1) & -2; -- if (!input_buffer_size) return NULL; -+ if (input_buffer_size < 2) return NULL; - - /* allocate decompression state */ - if (!(lzx = (struct lzxd_stream *) system->alloc(system, sizeof(struct lzxd_stream)))) { -@@ -382,7 +388,7 @@ int lzxd_set_reference_data(struct lzxd_stream *lzx, - } - - void lzxd_set_output_length(struct lzxd_stream *lzx, off_t out_bytes) { -- if (lzx) lzx->length = out_bytes; -+ if (lzx && out_bytes > 0) lzx->length = out_bytes; - } - - int lzxd_decompress(struct lzxd_stream *lzx, off_t out_bytes) { -diff --git a/mspack/mszipd.c b/mspack/mszipd.c -index 5b4756d..6ecd96d 100644 ---- a/mspack/mszipd.c -+++ b/mspack/mszipd.c -@@ -349,8 +349,9 @@ struct mszipd_stream *mszipd_init(struct mspack_system *system, - - if (!system) return NULL; - -+ /* round up input buffer size to multiple of two */ - input_buffer_size = (input_buffer_size + 1) & -2; -- if (!input_buffer_size) return NULL; -+ if (input_buffer_size < 2) return NULL; - - /* allocate decompression state */ - if (!(zip = (struct mszipd_stream *) system->alloc(system, sizeof(struct mszipd_stream)))) { -diff --git a/mspack/qtmd.c b/mspack/qtmd.c -index 12b27f5..5d2c76f 100644 ---- a/mspack/qtmd.c -+++ b/mspack/qtmd.c -@@ -197,6 +197,7 @@ struct qtmd_stream *qtmd_init(struct mspack_system *system, - /* Quantum supports window sizes of 2^10 (1Kb) through 2^21 (2Mb) */ - if (window_bits < 10 || window_bits > 21) return NULL; - -+ /* round up input buffer size to multiple of two */ - input_buffer_size = (input_buffer_size + 1) & -2; - if (input_buffer_size < 2) return NULL; - |