projects / platform / upstream / patch.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 080a1e4)
[CVE-2018-17942] vasnprintf: Fix heap memory overrun bug. 62/275062/1 accepted/tizen_7.0_base accepted/tizen_7.0_base_hotfix accepted/tizen_7.0_base_tool accepted/tizen_7.0_base_tool_hotfix accepted/tizen_8.0_base accepted/tizen_9.0_base accepted/tizen_base accepted/tizen_base_tool tizen_7.0_base tizen_7.0_base_hotfix tizen_8.0_base tizen_9.0_base tizen_base accepted/tizen/7.0/base/20230714.003028 accepted/tizen/7.0/base/hotfix/20230714.003840 accepted/tizen/7.0/base/tool/20221028.122232 accepted/tizen/7.0/base/tool/hotfix/20221115.090817 accepted/tizen/8.0/base/20231005.045008 accepted/tizen/9.0/base/20241030.075444 accepted/tizen/base/20230714.003433 accepted/tizen/base/tool/20220517.015812 accepted/tizen/base/tool/20220530.211849 submit/tizen_7.0_base/20221028.201101 submit/tizen_7.0_base_hotfix/20221115.161601 submit/tizen_base/20220517.015433 submit/tizen_base/20220527.062142 tizen_7.0_m2_release tizen_8.0_m2_release tizen_9.0_m2_release
authorDongHun Kwak <dh0128.kwak@samsung.com>
Mon, 16 May 2022 07:02:42 +0000 (16:02 +0900)
committerDongHun Kwak <dh0128.kwak@samsung.com>
Mon, 16 May 2022 07:02:42 +0000 (16:02 +0900)
Reported by Ben Pfaff <blp@cs.stanford.edu> in
<https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.

* lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
memory.
* tests/test-vasnprintf.c (test_function): Add another test.

Change-Id: I107d30510c01c28390f6a61c4034ea5fe4d20d80

packaging/CVE-2018-17942.patch [new file with mode: 0644] patch | blob
packaging/patch.spec patch | blob | history

diff --git a/packaging/CVE-2018-17942.patch b/packaging/CVE-2018-17942.patch
new file mode 100644 (file)
index 0000000..0efe08e
--- /dev/null
+++ b/packaging/CVE-2018-17942.patch
@@ -0,0 +1,34 @@
+From 861e8512d47e5aff3c836bd7720dc3506a220a99 Mon Sep 17 00:00:00 2001
+From: Bruno Haible <bruno@clisp.org>
+Date: Sun, 23 Sep 2018 14:13:52 +0200
+Subject: [PATCH] [CVE-2018-17942] vasnprintf: Fix heap memory overrun bug.
+
+Reported by Ben Pfaff <blp@cs.stanford.edu> in
+<https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.
+
+* lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
+memory.
+* tests/test-vasnprintf.c (test_function): Add another test.
+
+---
+ lib/vasnprintf.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c
+index 8b91e3f..c1c1fa5 100644
+--- a/lib/vasnprintf.c
++++ b/lib/vasnprintf.c
+@@ -860,7 +860,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes)
+   size_t a_len = a.nlimbs;
+   /* 0.03345 is slightly larger than log(2)/(9*log(10)).  */
+   size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
+-  char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes));
++  /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
++     digits of a, followed by 1 byte for the terminating NUL.  */
++  char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1));
+   if (c_ptr != NULL)
+     {
+       char *d_ptr = c_ptr;
+-- 
+2.25.1
+
diff --git a/packaging/patch.spec b/packaging/patch.spec
index b3807b040334b540950df404b53573f41887483a..c881e97c20b2ed80a4977198a8a31c384f95dca2 100644 (file)
--- a/packaging/patch.spec
+++ b/packaging/patch.spec
@@ -7,6 +7,7 @@ Url:            http://www.gnu.org/software/patch/patch.html
 Group:          Development/Tools
 Source0:        ftp://ftp.gnu.org/gnu/patch/patch-%{version}.tar.xz
 Source11:       CVE-2018-6951.patch
+Source12:       CVE-2018-17942.patch
 Source1001:     patch.manifest
 
 %description
@@ -22,6 +23,7 @@ applications.
 %prep
 %setup -q
 %{__patch} -p1 < %{SOURCE11}
+%{__patch} -p1 < %{SOURCE12}
 
 %build
 cp %{SOURCE1001} .
Domain: System / Base;