rpms / sysstat

Clone
Source Code
GIT

Files

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta
  1.   c8
  2.   SOURCES
  3.   CVE-2019-16167_memory-corruption-due-to-an-integer-overflow.patch
Blob Blame History Raw 
--- sa_common.c
+++ sa_common.c
@@ -1249,6 +1249,11 @@
 	/* Remap [unsigned] long fields */
 	d = gtypes_nr[0] - ftypes_nr[0];
 	if (d) {
+    
+    if (ftypes_nr[0] * ULL_ALIGNMENT_WIDTH < ftypes_nr[0])
+			/* Overflow */
+			return;
+
 		memmove(((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH,
 			((char *) ps) + ftypes_nr[0] * ULL_ALIGNMENT_WIDTH,
 			st_size - ftypes_nr[0] * ULL_ALIGNMENT_WIDTH);
@@ -1260,7 +1265,13 @@
 	/* Remap [unsigned] int fields */
 	d = gtypes_nr[1] - ftypes_nr[1];
 	if (d) {
-		memmove(((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH
+		
+    if (gtypes_nr[0] * ULL_ALIGNMENT_WIDTH +
+		  ftypes_nr[1] * UL_ALIGNMENT_WIDTH < ftypes_nr[1])
+        /* Overflow */
+			  return;
+
+    memmove(((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH
 				      + gtypes_nr[1] * UL_ALIGNMENT_WIDTH,
 			((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH
 				      + ftypes_nr[1] * UL_ALIGNMENT_WIDTH,
@@ -1275,6 +1286,13 @@
 	/* Remap possible fields (like strings of chars) following int fields */
 	d = gtypes_nr[2] - ftypes_nr[2];
 	if (d) {
+		
+    if (gtypes_nr[0] * ULL_ALIGNMENT_WIDTH +
+		  gtypes_nr[1] * UL_ALIGNMENT_WIDTH +
+		  ftypes_nr[2] * U_ALIGNMENT_WIDTH < ftypes_nr[2])	
+        /* Overflow */
+			  return;
+
 		memmove(((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH
 				      + gtypes_nr[1] * UL_ALIGNMENT_WIDTH
 				      + gtypes_nr[2] * U_ALIGNMENT_WIDTH,

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation