diff options
Diffstat (limited to 'main/musl/0019-fix-free-of-uninitialized-buffer-pointer-on-error-in.patch')
-rw-r--r-- | main/musl/0019-fix-free-of-uninitialized-buffer-pointer-on-error-in.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/main/musl/0019-fix-free-of-uninitialized-buffer-pointer-on-error-in.patch b/main/musl/0019-fix-free-of-uninitialized-buffer-pointer-on-error-in.patch new file mode 100644 index 0000000000..f168e0c7fe --- /dev/null +++ b/main/musl/0019-fix-free-of-uninitialized-buffer-pointer-on-error-in.patch @@ -0,0 +1,41 @@ +From 6582baa752a8facb2c8a7b5b3dcf67331429cdc1 Mon Sep 17 00:00:00 2001 +From: Rich Felker <dalias@aerifal.cx> +Date: Tue, 14 Mar 2017 14:18:07 -0400 +Subject: [PATCH] fix free of uninitialized buffer pointer on error in regexec + +the fix in commit c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 for +CVE-2016-8859 used gotos to exit on overflow conditions, but the code +in that error path assumed the buffer pointer was valid or null. thus, +the conditions which previously led to under-allocation and buffer +overflow could instead lead to an invalid pointer being passed to +free. +--- + src/regex/regexec.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/regex/regexec.c b/src/regex/regexec.c +index 5c4cb922..253b0e14 100644 +--- a/src/regex/regexec.c ++++ b/src/regex/regexec.c +@@ -215,15 +215,15 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string, + /* Ensure that tbytes and xbytes*num_states cannot overflow, and that + * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */ + if (num_tags > SIZE_MAX/(8 * sizeof(regoff_t) * tnfa->num_states)) +- goto error_exit; ++ return REG_ESPACE; + + /* Likewise check rbytes. */ + if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next))) +- goto error_exit; ++ return REG_ESPACE; + + /* Likewise check pbytes. */ + if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos))) +- goto error_exit; ++ return REG_ESPACE; + + /* Compute the length of the block we need. */ + tbytes = sizeof(*tmp_tags) * num_tags; +-- +2.11.1 + |