wok-current diff glib/stuff/glib-CVE-2008-4316.diff @ rev 3006
Add libdrm (Direct rendering)
| author | Christophe Lincoln <pankso@slitaz.org> |
|---|---|
| date | Mon May 11 22:18:57 2009 +0200 (2009-05-11) |
| parents | |
| children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/glib/stuff/glib-CVE-2008-4316.diff Mon May 11 22:18:57 2009 +0200 1.3 @@ -0,0 +1,62 @@ 1.4 +--- glib/gbase64.c 2009/02/23 04:30:06 7897 1.5 ++++ glib/gbase64.c 2009/03/12 13:30:55 7973 1.6 +@@ -54,8 +54,9 @@ 1.7 + * 1.8 + * The output buffer must be large enough to fit all the data that will 1.9 + * be written to it. Due to the way base64 encodes you will need 1.10 +- * at least: @len * 4 / 3 + 6 bytes. If you enable line-breaking you will 1.11 +- * need at least: @len * 4 / 3 + @len * 4 / (3 * 72) + 7 bytes. 1.12 ++ * at least: (@len / 3 + 1) * 4 + 4 bytes (+ 4 may be needed in case of 1.13 ++ * non-zero state). If you enable line-breaking you will need at least: 1.14 ++ * ((@len / 3 + 1) * 4 + 4) / 72 + 1 bytes of extra space. 1.15 + * 1.16 + * @break_lines is typically used when putting base64-encoded data in emails. 1.17 + * It breaks the lines at 72 columns instead of putting all of the text on 1.18 +@@ -233,8 +234,14 @@ 1.19 + g_return_val_if_fail (data != NULL, NULL); 1.20 + g_return_val_if_fail (len > 0, NULL); 1.21 + 1.22 +- /* We can use a smaller limit here, since we know the saved state is 0 */ 1.23 +- out = g_malloc (len * 4 / 3 + 4); 1.24 ++ /* We can use a smaller limit here, since we know the saved state is 0, 1.25 ++ +1 is needed for trailing \0, also check for unlikely integer overflow */ 1.26 ++ if (len >= ((G_MAXSIZE - 1) / 4 - 1) * 3) 1.27 ++ g_error("%s: input too large for Base64 encoding (%"G_GSIZE_FORMAT" chars)", 1.28 ++ G_STRLOC, len); 1.29 ++ 1.30 ++ out = g_malloc ((len / 3 + 1) * 4 + 1); 1.31 ++ 1.32 + outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save); 1.33 + outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save); 1.34 + out[outlen] = '\0'; 1.35 +@@ -275,7 +282,8 @@ 1.36 + * 1.37 + * The output buffer must be large enough to fit all the data that will 1.38 + * be written to it. Since base64 encodes 3 bytes in 4 chars you need 1.39 +- * at least: @len * 3 / 4 bytes. 1.40 ++ * at least: (@len / 4) * 3 + 3 bytes (+ 3 may be needed in case of non-zero 1.41 ++ * state). 1.42 + * 1.43 + * Return value: The number of bytes of output that was written 1.44 + * 1.45 +@@ -358,7 +366,8 @@ 1.46 + gsize *out_len) 1.47 + { 1.48 + guchar *ret; 1.49 +- gint input_length, state = 0; 1.50 ++ gsize input_length; 1.51 ++ gint state = 0; 1.52 + guint save = 0; 1.53 + 1.54 + g_return_val_if_fail (text != NULL, NULL); 1.55 +@@ -368,7 +377,9 @@ 1.56 + 1.57 + g_return_val_if_fail (input_length > 1, NULL); 1.58 + 1.59 +- ret = g_malloc0 (input_length * 3 / 4); 1.60 ++ /* We can use a smaller limit here, since we know the saved state is 0, 1.61 ++ +1 used to avoid calling g_malloc0(0), and hence retruning NULL */ 1.62 ++ ret = g_malloc0 ((input_length / 4) * 3 + 1); 1.63 + 1.64 + *out_len = g_base64_decode_step (text, input_length, ret, &state, &save); 1.65 +