Blame SOURCES/CVE-2019-16167_memory-corruption-due-to-an-integer-overflow.patch
|
|
e115bc |
--- sa_common.c
|
|
|
e115bc |
+++ sa_common.c
|
|
|
e115bc |
@@ -1249,6 +1249,11 @@
|
|
|
e115bc |
/* Remap [unsigned] long fields */
|
|
|
e115bc |
d = gtypes_nr[0] - ftypes_nr[0];
|
|
|
e115bc |
if (d) {
|
|
|
e115bc |
+
|
|
|
e115bc |
+ if (ftypes_nr[0] * ULL_ALIGNMENT_WIDTH < ftypes_nr[0])
|
|
|
e115bc |
+ /* Overflow */
|
|
|
e115bc |
+ return;
|
|
|
e115bc |
+
|
|
|
e115bc |
memmove(((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH,
|
|
|
e115bc |
((char *) ps) + ftypes_nr[0] * ULL_ALIGNMENT_WIDTH,
|
|
|
e115bc |
st_size - ftypes_nr[0] * ULL_ALIGNMENT_WIDTH);
|
|
|
e115bc |
@@ -1260,7 +1265,13 @@
|
|
|
e115bc |
/* Remap [unsigned] int fields */
|
|
|
e115bc |
d = gtypes_nr[1] - ftypes_nr[1];
|
|
|
e115bc |
if (d) {
|
|
|
e115bc |
- memmove(((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH
|
|
|
e115bc |
+
|
|
|
e115bc |
+ if (gtypes_nr[0] * ULL_ALIGNMENT_WIDTH +
|
|
|
e115bc |
+ ftypes_nr[1] * UL_ALIGNMENT_WIDTH < ftypes_nr[1])
|
|
|
e115bc |
+ /* Overflow */
|
|
|
e115bc |
+ return;
|
|
|
e115bc |
+
|
|
|
e115bc |
+ memmove(((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH
|
|
|
e115bc |
+ gtypes_nr[1] * UL_ALIGNMENT_WIDTH,
|
|
|
e115bc |
((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH
|
|
|
e115bc |
+ ftypes_nr[1] * UL_ALIGNMENT_WIDTH,
|
|
|
e115bc |
@@ -1275,6 +1286,13 @@
|
|
|
e115bc |
/* Remap possible fields (like strings of chars) following int fields */
|
|
|
e115bc |
d = gtypes_nr[2] - ftypes_nr[2];
|
|
|
e115bc |
if (d) {
|
|
|
e115bc |
+
|
|
|
e115bc |
+ if (gtypes_nr[0] * ULL_ALIGNMENT_WIDTH +
|
|
|
e115bc |
+ gtypes_nr[1] * UL_ALIGNMENT_WIDTH +
|
|
|
e115bc |
+ ftypes_nr[2] * U_ALIGNMENT_WIDTH < ftypes_nr[2])
|
|
|
e115bc |
+ /* Overflow */
|
|
|
e115bc |
+ return;
|
|
|
e115bc |
+
|
|
|
e115bc |
memmove(((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH
|
|
|
e115bc |
+ gtypes_nr[1] * UL_ALIGNMENT_WIDTH
|
|
|
e115bc |
+ gtypes_nr[2] * U_ALIGNMENT_WIDTH,
|