mirror of
https://git.yoctoproject.org/poky
synced 2026-05-02 18:32:15 +02:00
curl: CVE-2016-8618
double-free in curl_maprintf Affected versions: curl 7.1 to and including 7.50.3 Reference: https://curl.haxx.se/docs/adv_20161102D.html (From OE-Core rev: 4163dacd30373501313fc40fd678c525980d1ccd) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Sona Sarmadi
committed by
Richard Purdie
Richard Purdie
parent
eb0dff0c98
commit
cf7507f8c4
52
meta/recipes-support/curl/curl/CVE-2016-8618.patch
Normal file
52
meta/recipes-support/curl/curl/CVE-2016-8618.patch
Normal file
@@ -0,0 +1,52 @@
|
||||
From 31106a073882656a2a5ab56c4ce2847e9a334c3c Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Wed, 28 Sep 2016 10:15:34 +0200
|
||||
Subject: [PATCH] aprintf: detect wrap-around when growing allocation
|
||||
|
||||
On 32bit systems we could otherwise wrap around after 2GB and allocate 0
|
||||
bytes and crash.
|
||||
|
||||
CVE: CVE-2016-8618
|
||||
Upstream-Status: Backport
|
||||
|
||||
Bug: https://curl.haxx.se/docs/adv_20161102D.html
|
||||
Reported-by: Cure53
|
||||
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
|
||||
---
|
||||
lib/mprintf.c | 9 ++++++---
|
||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/mprintf.c b/lib/mprintf.c
|
||||
index dbedeaa..2c88aa8 100644
|
||||
--- a/lib/mprintf.c
|
||||
+++ b/lib/mprintf.c
|
||||
@@ -1034,20 +1034,23 @@ static int alloc_addbyter(int output, FILE *data)
|
||||
}
|
||||
infop->alloc = 32;
|
||||
infop->len =0;
|
||||
}
|
||||
else if(infop->len+1 >= infop->alloc) {
|
||||
- char *newptr;
|
||||
+ char *newptr = NULL;
|
||||
+ size_t newsize = infop->alloc*2;
|
||||
|
||||
- newptr = realloc(infop->buffer, infop->alloc*2);
|
||||
+ /* detect wrap-around or other overflow problems */
|
||||
+ if(newsize > infop->alloc)
|
||||
+ newptr = realloc(infop->buffer, newsize);
|
||||
|
||||
if(!newptr) {
|
||||
infop->fail = 1;
|
||||
return -1; /* fail */
|
||||
}
|
||||
infop->buffer = newptr;
|
||||
- infop->alloc *= 2;
|
||||
+ infop->alloc = newsize;
|
||||
}
|
||||
|
||||
infop->buffer[ infop->len ] = outc;
|
||||
|
||||
infop->len++;
|
||||
--
|
||||
2.9.3
|
||||
|
||||
@@ -18,6 +18,7 @@ SRC_URI += " file://configure_ac.patch \
|
||||
file://CVE-2016-8615.patch \
|
||||
file://CVE-2016-8616.patch \
|
||||
file://CVE-2016-8617.patch \
|
||||
file://CVE-2016-8618.patch \
|
||||
"
|
||||
|
||||
SRC_URI[md5sum] = "9ea3123449439bbd960cd25cf98796fb"
|
||||
|
||||
Reference in New Issue
Block a user