wok diff aspell/stuff/patches/CVE-2019-25051 @ rev 24986
Up nettle 3.7.3 again, need glib-networking rebuild to no break midori
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Wed May 11 08:28:28 2022 -0400 (2022-05-11) |
| parents | |
| children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/aspell/stuff/patches/CVE-2019-25051 Wed May 11 08:28:28 2022 -0400 1.3 @@ -0,0 +1,96 @@ 1.4 +From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001 1.5 +From: Kevin Atkinson <kevina@gnu.org> 1.6 +Date: Sat, 21 Dec 2019 20:32:47 +0000 1.7 +Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk 1.8 + to prevent a buffer overflow 1.9 + 1.10 +Bug found using OSS-Fuze. 1.11 +--- 1.12 + common/objstack.hpp | 18 ++++++++++++++---- 1.13 + 1 file changed, 14 insertions(+), 4 deletions(-) 1.14 + 1.15 +diff --git a/common/objstack.hpp b/common/objstack.hpp 1.16 +index 3997bf7..bd97ccd 100644 1.17 +--- a/common/objstack.hpp 1.18 ++++ b/common/objstack.hpp 1.19 +@@ -5,6 +5,7 @@ 1.20 + #include "parm_string.hpp" 1.21 + #include <stdlib.h> 1.22 + #include <assert.h> 1.23 ++#include <stddef.h> 1.24 + 1.25 + namespace acommon { 1.26 + 1.27 +@@ -26,6 +27,12 @@ class ObjStack 1.28 + byte * temp_end; 1.29 + void setup_chunk(); 1.30 + void new_chunk(); 1.31 ++ bool will_overflow(size_t sz) const { 1.32 ++ return offsetof(Node,data) + sz > chunk_size; 1.33 ++ } 1.34 ++ void check_size(size_t sz) { 1.35 ++ assert(!will_overflow(sz)); 1.36 ++ } 1.37 + 1.38 + ObjStack(const ObjStack &); 1.39 + void operator=(const ObjStack &); 1.40 +@@ -56,7 +63,7 @@ class ObjStack 1.41 + void * alloc_bottom(size_t size) { 1.42 + byte * tmp = bottom; 1.43 + bottom += size; 1.44 +- if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;} 1.45 ++ if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;} 1.46 + return tmp; 1.47 + } 1.48 + // This alloc_bottom will insure that the object is aligned based on the 1.49 +@@ -66,7 +73,7 @@ class ObjStack 1.50 + align_bottom(align); 1.51 + byte * tmp = bottom; 1.52 + bottom += size; 1.53 +- if (bottom > top) {new_chunk(); goto loop;} 1.54 ++ if (bottom > top) {check_size(size); new_chunk(); goto loop;} 1.55 + return tmp; 1.56 + } 1.57 + char * dup_bottom(ParmString str) { 1.58 +@@ -79,7 +86,7 @@ class ObjStack 1.59 + // always be aligned as such. 1.60 + void * alloc_top(size_t size) { 1.61 + top -= size; 1.62 +- if (top < bottom) {new_chunk(); top -= size;} 1.63 ++ if (top < bottom) {check_size(size); new_chunk(); top -= size;} 1.64 + return top; 1.65 + } 1.66 + // This alloc_top will insure that the object is aligned based on 1.67 +@@ -88,7 +95,7 @@ class ObjStack 1.68 + {loop: 1.69 + top -= size; 1.70 + align_top(align); 1.71 +- if (top < bottom) {new_chunk(); goto loop;} 1.72 ++ if (top < bottom) {check_size(size); new_chunk(); goto loop;} 1.73 + return top; 1.74 + } 1.75 + char * dup_top(ParmString str) { 1.76 +@@ -117,6 +124,7 @@ class ObjStack 1.77 + void * alloc_temp(size_t size) { 1.78 + temp_end = bottom + size; 1.79 + if (temp_end > top) { 1.80 ++ check_size(size); 1.81 + new_chunk(); 1.82 + temp_end = bottom + size; 1.83 + } 1.84 +@@ -131,6 +139,7 @@ class ObjStack 1.85 + } else { 1.86 + size_t s = temp_end - bottom; 1.87 + byte * p = bottom; 1.88 ++ check_size(size); 1.89 + new_chunk(); 1.90 + memcpy(bottom, p, s); 1.91 + temp_end = bottom + size; 1.92 +@@ -150,6 +159,7 @@ class ObjStack 1.93 + } else { 1.94 + size_t s = temp_end - bottom; 1.95 + byte * p = bottom; 1.96 ++ check_size(size); 1.97 + new_chunk(); 1.98 + memcpy(bottom, p, s); 1.99 + temp_end = bottom + size;