wok-next view cvs/stuff/patches/cvs-1.11.23-cve-2010-3846.patch @ rev 21105
Small updates... "bzip2" and "cairo": follow "libpkg - pkg - pkg-dev" rule
| author | Aleksej Bobylev <al.bobylev@gmail.com> |
|---|---|
| date | Fri Jan 04 17:29:48 2019 +0200 (2019-01-04) |
| parents | |
| children |
line source
1 From b122edcb68ff05bb6eb22f6e50423e7f1050841b Mon Sep 17 00:00:00 2001
2 From: Larry Jones <lawrence.jones@siemens.com>
3 Date: Thu, 21 Oct 2010 10:08:16 +0200
4 Subject: [PATCH] Fix for CVE-2010-3846
5 MIME-Version: 1.0
6 Content-Type: text/plain; charset=UTF-8
7 Content-Transfer-Encoding: 8bit
9 Mallformed RCS revision (delete after the end of input file, or overlayed
10 deleted regions) screws output file image size computation. This leads to
11 write attempt after the allocated memory opening hiden memory corruption
12 driven by CVS server.
14 Signed-off-by: Petr Písař <ppisar@redhat.com>
15 ---
16 src/rcs.c | 52 +++++++++++++++++++++++++++++-----------------------
17 1 files changed, 29 insertions(+), 23 deletions(-)
19 diff --git a/src/rcs.c b/src/rcs.c
20 index 7d0d078..2f88f85 100644
21 --- a/src/rcs.c
22 +++ b/src/rcs.c
23 @@ -7128,7 +7128,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
24 struct deltafrag *dfhead;
25 struct deltafrag **dftail;
26 struct deltafrag *df;
27 - unsigned long numlines, lastmodline, offset;
28 + unsigned long numlines, offset;
29 struct linevector lines;
30 int err;
32 @@ -7202,12 +7202,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
34 /* New temp data structure to hold new org before
35 copy back into original structure. */
36 - lines.nlines = lines.lines_alloced = numlines;
37 + lines.lines_alloced = numlines;
38 lines.vector = xmalloc (numlines * sizeof *lines.vector);
40 /* We changed the list order to first to last -- so the
41 list never gets larger than the size numlines. */
42 - lastmodline = 0;
43 + lines.nlines = 0;
45 /* offset created when adding/removing lines
46 between new and original structure */
47 @@ -7216,25 +7216,24 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
48 for (df = dfhead; df != NULL; )
49 {
50 unsigned int ln;
51 - unsigned long deltaend;
52 + unsigned long newpos = df->pos - offset;
54 - if (df->pos > orig_lines->nlines)
55 + if (newpos < lines.nlines || newpos > numlines)
56 err = 1;
58 /* On error, just free the rest of the list. */
59 if (!err)
60 {
61 - /* Here we need to get to the line where the next insert will
62 + /* Here we need to get to the line where the next change will
63 begin, which is DF->pos in ORIG_LINES. We will fill up to
64 DF->pos - OFFSET in LINES with original items. */
65 - for (deltaend = df->pos - offset;
66 - lastmodline < deltaend;
67 - lastmodline++)
68 + while (lines.nlines < newpos)
69 {
70 /* we need to copy from the orig structure into new one */
71 - lines.vector[lastmodline] =
72 - orig_lines->vector[lastmodline + offset];
73 - lines.vector[lastmodline]->refcount++;
74 + lines.vector[lines.nlines] =
75 + orig_lines->vector[lines.nlines + offset];
76 + lines.vector[lines.nlines]->refcount++;
77 + lines.nlines++;
78 }
80 switch (df->type)
81 @@ -7246,7 +7245,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
82 struct line *q;
83 int nextline_newline;
84 size_t nextline_len;
85 -
86 +
87 + if (newpos + df->nlines > numlines)
88 + {
89 + err = 1;
90 + break;
91 + }
92 textend = df->new_lines + df->len;
93 nextline_newline = 0;
94 nextline_text = df->new_lines;
95 @@ -7271,8 +7275,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
96 q->has_newline = nextline_newline;
97 q->refcount = 1;
98 memcpy (q->text, nextline_text, nextline_len);
99 - lines.vector[lastmodline++] = q;
100 - offset--;
101 + lines.vector[lines.nlines++] = q;
103 nextline_text = (char *)p + 1;
104 nextline_newline = 0;
105 @@ -7286,11 +7289,11 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
106 q->has_newline = nextline_newline;
107 q->refcount = 1;
108 memcpy (q->text, nextline_text, nextline_len);
109 - lines.vector[lastmodline++] = q;
110 + lines.vector[lines.nlines++] = q;
112 /* For each line we add the offset between the #'s
113 decreases. */
114 - offset--;
115 + offset -= df->nlines;
116 break;
117 }
119 @@ -7301,7 +7304,9 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
120 if (df->pos + df->nlines > orig_lines->nlines)
121 err = 1;
122 else if (delvers)
123 + {
124 for (ln = df->pos; ln < df->pos + df->nlines; ++ln)
125 + {
126 if (orig_lines->vector[ln]->refcount > 1)
127 /* Annotate needs this but, since the original
128 * vector is disposed of before returning from
129 @@ -7309,6 +7314,8 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
130 * there are multiple references.
131 */
132 orig_lines->vector[ln]->vers = delvers;
133 + }
134 + }
135 break;
136 }
137 }
138 @@ -7328,21 +7335,20 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
139 else
140 {
141 /* add the rest of the remaining lines to the data vector */
142 - for (; lastmodline < numlines; lastmodline++)
143 + while (lines.nlines < numlines)
144 {
145 /* we need to copy from the orig structure into new one */
146 - lines.vector[lastmodline] = orig_lines->vector[lastmodline
147 + lines.vector[lines.nlines] = orig_lines->vector[lines.nlines
148 + offset];
149 - lines.vector[lastmodline]->refcount++;
150 + lines.vector[lines.nlines]->refcount++;
151 + lines.nlines++;
152 }
154 /* Move the lines vector to the original structure for output,
155 * first deleting the old.
156 */
157 linevector_free (orig_lines);
158 - orig_lines->vector = lines.vector;
159 - orig_lines->lines_alloced = numlines;
160 - orig_lines->nlines = lines.nlines;
161 + *orig_lines = lines;
162 }
164 return !err;
165 --
166 1.7.2.3