rpms / aide

Clone
Source Code
GIT

Blame SOURCES/aide-0.16-CVE-2021-45417.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   c9-beta
  2.   SOURCES
  3.   aide-0.16-CVE-2021-45417.patch
Blob History Raw
98782b 
diff --git a/include/base64.h b/include/base64.h
98782b 
index 0ff7116..381ef5d 100644
98782b 
--- a/include/base64.h
98782b 
+++ b/include/base64.h
98782b 
@@ -36,7 +36,6 @@
98782b 
 #include <assert.h>
98782b 
 #include "types.h"
98782b
98782b 
-#define B64_BUF 16384
98782b 
 #define FAIL -1
98782b 
 #define SKIP -2
98782b
98782b 
diff --git a/src/base64.c b/src/base64.c
98782b 
index fd01bac..1b0f301 100644
98782b 
--- a/src/base64.c
98782b 
+++ b/src/base64.c
98782b 
@@ -85,11 +85,9 @@ FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL
98782b 
 };
98782b
98782b 
 /* Returns NULL on error */
98782b 
-/* FIXME Possible buffer overflow on outputs larger than B64_BUF */
98782b 
 char* encode_base64(byte* src,size_t ssize)
98782b 
 {
98782b 
   char* outbuf;
98782b 
-  char* retbuf;
98782b 
   int pos;
98782b 
   int i, l, left;
98782b 
   unsigned long triple;
98782b 
@@ -101,7 +99,10 @@ char* encode_base64(byte* src,size_t ssize)
98782b 
     error(240,"\n");
98782b 
     return NULL;
98782b 
   }
98782b 
-  outbuf = (char *)malloc(sizeof(char)*B64_BUF);
98782b 
+
98782b 
+  /* length of encoded base64 string (padded) */
98782b 
+  size_t length = sizeof(char)* ((ssize + 2) / 3) * 4;
98782b 
+  outbuf = (char *)malloc(length + 1);
98782b
98782b 
   /* Initialize working pointers */
98782b 
   inb = src;
98782b 
@@ -162,20 +163,14 @@ char* encode_base64(byte* src,size_t ssize)
98782b 
       inb++;
98782b 
   }
98782b
98782b 
-  /* outbuf is not completely used so we use retbuf */
98782b 
-  retbuf=(char*)malloc(sizeof(char)*(pos+1));
98782b 
-  memcpy(retbuf,outbuf,pos);
98782b 
-  retbuf[pos]='\0';
98782b 
-  free(outbuf);
98782b 
+  outbuf[pos]='\0';
98782b
98782b 
-  return retbuf;
98782b 
+  return outbuf;
98782b 
 }
98782b
98782b 
-/* FIXME Possible buffer overflow on outputs larger than B64_BUF */
98782b 
 byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
98782b 
 {
98782b 
   byte* outbuf;
98782b 
-  byte* retbuf;
98782b 
   char* inb;
98782b 
   int i;
98782b 
   int l;
98782b 
@@ -188,10 +183,18 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
98782b 
   if (!ssize||src==NULL)
98782b 
     return NULL;
98782b
98782b 
+  /* exit on unpadded input */
98782b 
+  if (ssize % 4) {
98782b 
+    error(3, "decode_base64: '%s' has invalid length (missing padding characters?)", src);
98782b 
+    return NULL;
98782b 
+  }
98782b 
+
98782b 
+  /* calculate length of decoded string, substract padding chars if any (ssize is >= 4) */
98782b 
+  size_t length = sizeof(byte) * ((ssize / 4) * 3)- (src[ssize-1] == '=') - (src[ssize-2] == '=');
98782b
98782b 
   /* Initialize working pointers */
98782b 
   inb = src;
98782b 
-  outbuf = (byte *)malloc(sizeof(byte)*B64_BUF);
98782b 
+  outbuf = (byte *)malloc(length + 1);
98782b
98782b 
   l = 0;
98782b 
   triple = 0;
98782b 
@@ -243,15 +246,11 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
98782b 
       inb++;
98782b 
     }
98782b
98782b 
-  retbuf=(byte*)malloc(sizeof(byte)*(pos+1));
98782b 
-  memcpy(retbuf,outbuf,pos);
98782b 
-  retbuf[pos]='\0';
98782b 
-
98782b 
-  free(outbuf);
98782b 
+  outbuf[pos]='\0';
98782b
98782b 
   if (ret_len) *ret_len = pos;
98782b
98782b 
-  return retbuf;
98782b 
+  return outbuf;
98782b 
 }
98782b
98782b 
 size_t length_base64(char* src,size_t ssize)
98782b 
diff --git a/src/db.c b/src/db.c
98782b 
index 858240d..62c4faa 100644
98782b 
--- a/src/db.c
98782b 
+++ b/src/db.c
98782b 
@@ -664,13 +664,15 @@ db_line* db_char2line(char** ss,int db){
98782b
98782b 
 time_t base64totime_t(char* s){
98782b
98782b 
+  if(strcmp(s,"0")==0){
98782b 
+      return 0;
98782b 
+  }
98782b 
   byte* b=decode_base64(s,strlen(s),NULL);
98782b 
   char* endp;
98782b
98782b 
-  if (b==NULL||strcmp(s,"0")==0) {
98782b 
+  if (b==NULL) {
98782b
98782b 
     /* Should we print error here? */
98782b 
-    free(b);
98782b
98782b 
     return 0;
98782b 
   } else {

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation