aboutsummaryrefslogtreecommitdiffstats
path: root/main/musl/0019-fix-free-of-uninitialized-buffer-pointer-on-error-in.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/musl/0019-fix-free-of-uninitialized-buffer-pointer-on-error-in.patch')
-rw-r--r--main/musl/0019-fix-free-of-uninitialized-buffer-pointer-on-error-in.patch41
1 files changed, 41 insertions, 0 deletions
diff --git a/main/musl/0019-fix-free-of-uninitialized-buffer-pointer-on-error-in.patch b/main/musl/0019-fix-free-of-uninitialized-buffer-pointer-on-error-in.patch
new file mode 100644
index 0000000000..f168e0c7fe
--- /dev/null
+++ b/main/musl/0019-fix-free-of-uninitialized-buffer-pointer-on-error-in.patch
@@ -0,0 +1,41 @@
+From 6582baa752a8facb2c8a7b5b3dcf67331429cdc1 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Tue, 14 Mar 2017 14:18:07 -0400
+Subject: [PATCH] fix free of uninitialized buffer pointer on error in regexec
+
+the fix in commit c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 for
+CVE-2016-8859 used gotos to exit on overflow conditions, but the code
+in that error path assumed the buffer pointer was valid or null. thus,
+the conditions which previously led to under-allocation and buffer
+overflow could instead lead to an invalid pointer being passed to
+free.
+---
+ src/regex/regexec.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/regex/regexec.c b/src/regex/regexec.c
+index 5c4cb922..253b0e14 100644
+--- a/src/regex/regexec.c
++++ b/src/regex/regexec.c
+@@ -215,15 +215,15 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string,
+ /* Ensure that tbytes and xbytes*num_states cannot overflow, and that
+ * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */
+ if (num_tags > SIZE_MAX/(8 * sizeof(regoff_t) * tnfa->num_states))
+- goto error_exit;
++ return REG_ESPACE;
+
+ /* Likewise check rbytes. */
+ if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next)))
+- goto error_exit;
++ return REG_ESPACE;
+
+ /* Likewise check pbytes. */
+ if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos)))
+- goto error_exit;
++ return REG_ESPACE;
+
+ /* Compute the length of the block we need. */
+ tbytes = sizeof(*tmp_tags) * num_tags;
+--
+2.11.1
+