# HG changeset patch # User Christophe Lincoln # Date 1239179775 -7200 # Node ID 12658e6aaebae31bf205e9130253634377a7af74 # Parent ee8706874a32db39e7547f495ef345ce9862784f glib: Security fix (http://labs.slitaz.org/issues/show/32) diff -r ee8706874a32 -r 12658e6aaeba glib/receipt --- a/glib/receipt Tue Apr 07 22:59:27 2009 +0200 +++ b/glib/receipt Wed Apr 08 10:36:15 2009 +0200 @@ -14,6 +14,8 @@ compile_rules() { cd $src + # Security fix (http://labs.slitaz.org/issues/show/32) + patch -p 0 < ../stuff/glib-CVE-2008-4316.diff || exit 1 ./configure \ --prefix=/usr \ --sysconfdir=/etc \ diff -r ee8706874a32 -r 12658e6aaeba glib/stuff/glib-CVE-2008-4316.diff --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/glib/stuff/glib-CVE-2008-4316.diff Wed Apr 08 10:36:15 2009 +0200 @@ -0,0 +1,62 @@ +--- glib/gbase64.c 2009/02/23 04:30:06 7897 ++++ glib/gbase64.c 2009/03/12 13:30:55 7973 +@@ -54,8 +54,9 @@ + * + * The output buffer must be large enough to fit all the data that will + * be written to it. Due to the way base64 encodes you will need +- * at least: @len * 4 / 3 + 6 bytes. If you enable line-breaking you will +- * need at least: @len * 4 / 3 + @len * 4 / (3 * 72) + 7 bytes. ++ * at least: (@len / 3 + 1) * 4 + 4 bytes (+ 4 may be needed in case of ++ * non-zero state). If you enable line-breaking you will need at least: ++ * ((@len / 3 + 1) * 4 + 4) / 72 + 1 bytes of extra space. + * + * @break_lines is typically used when putting base64-encoded data in emails. + * It breaks the lines at 72 columns instead of putting all of the text on +@@ -233,8 +234,14 @@ + g_return_val_if_fail (data != NULL, NULL); + g_return_val_if_fail (len > 0, NULL); + +- /* We can use a smaller limit here, since we know the saved state is 0 */ +- out = g_malloc (len * 4 / 3 + 4); ++ /* We can use a smaller limit here, since we know the saved state is 0, ++ +1 is needed for trailing \0, also check for unlikely integer overflow */ ++ if (len >= ((G_MAXSIZE - 1) / 4 - 1) * 3) ++ g_error("%s: input too large for Base64 encoding (%"G_GSIZE_FORMAT" chars)", ++ G_STRLOC, len); ++ ++ out = g_malloc ((len / 3 + 1) * 4 + 1); ++ + outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save); + outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save); + out[outlen] = '\0'; +@@ -275,7 +282,8 @@ + * + * The output buffer must be large enough to fit all the data that will + * be written to it. Since base64 encodes 3 bytes in 4 chars you need +- * at least: @len * 3 / 4 bytes. ++ * at least: (@len / 4) * 3 + 3 bytes (+ 3 may be needed in case of non-zero ++ * state). + * + * Return value: The number of bytes of output that was written + * +@@ -358,7 +366,8 @@ + gsize *out_len) + { + guchar *ret; +- gint input_length, state = 0; ++ gsize input_length; ++ gint state = 0; + guint save = 0; + + g_return_val_if_fail (text != NULL, NULL); +@@ -368,7 +377,9 @@ + + g_return_val_if_fail (input_length > 1, NULL); + +- ret = g_malloc0 (input_length * 3 / 4); ++ /* We can use a smaller limit here, since we know the saved state is 0, ++ +1 used to avoid calling g_malloc0(0), and hence retruning NULL */ ++ ret = g_malloc0 ((input_length / 4) * 3 + 1); + + *out_len = g_base64_decode_step (text, input_length, ret, &state, &save); +