rpms / tomcat

Clone
Source Code
GIT

Blame SOURCES/tomcat-7.0.42-CVE-2014-0099.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   f90819793e4da6c0cc3e7c19d29b48710e29d05b
  2.   SOURCES
  3.   tomcat-7.0.42-CVE-2014-0099.patch
Blob History Raw
79b4cc 
--- java/org/apache/tomcat/util/buf/Ascii.java.orig	2014-06-16 13:31:00.031497000 -0400
79b4cc 
+++ java/org/apache/tomcat/util/buf/Ascii.java	2014-06-16 13:40:15.667390000 -0400
79b4cc 
@@ -40,6 +40,7 @@
79b4cc 
     private static final boolean[] isWhite = new boolean[256];
79b4cc 
     private static final boolean[] isDigit = new boolean[256];
79b4cc
79b4cc 
+    private static final long OVERFLOW_LIMIT = Long.MAX_VALUE / 10;
79b4cc 
     /*
79b4cc 
      * Initialize character translation and type tables.
79b4cc 
      */
79b4cc 
@@ -206,20 +207,16 @@
79b4cc 
         }
79b4cc
79b4cc 
         long n = c - '0';
79b4cc 
-        long m;
79b4cc
79b4cc 
         while (--len > 0) {
79b4cc 
-            if (!isDigit(c = b[off++])) {
79b4cc 
+            if (isDigit(c = b[off++]) &&
79b4cc 
+                    (n < OVERFLOW_LIMIT ||
79b4cc 
+                     ( n == OVERFLOW_LIMIT && (c - '0') < 8))) {
79b4cc 
+                n = n * 10 + c - '0';
79b4cc 
+            } else {
79b4cc 
                 throw new NumberFormatException();
79b4cc 
             }
79b4cc 
-            m = n * 10 + c - '0';
79b4cc
79b4cc 
-            if (m < n) {
79b4cc 
-                // Overflow
79b4cc 
-                throw new NumberFormatException();
79b4cc 
-            } else {
79b4cc 
-                n = m;
79b4cc 
-            }
79b4cc 
         }
79b4cc
79b4cc 
         return n;
79b4cc 
--- webapps/docs/changelog.xml.orig	2014-06-16 13:31:00.067494000 -0400
79b4cc 
+++ webapps/docs/changelog.xml	2014-06-16 13:42:21.284821000 -0400
79b4cc 
@@ -59,6 +59,10 @@
79b4cc 
   <subsection name="Catalina">
79b4cc 
     <changelog>
79b4cc 
       <fix>
79b4cc 
+        CVE-2014-0099, Fix overflow when parsing long values from
79b4cc 
+        byte array. (markt) Patch applied by Red Hat Jun 16 2014
79b4cc 
+      </fix>
79b4cc 
+      <fix>
79b4cc 
         Fix CVE-2014-0050, a denial of service with a malicious, malformed
79b4cc 
         Content-Type header and multipart request processing. Fixed by merging
79b4cc 
         latest code (r1565163) from Commons FileUpload. (markt)

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation