rpms / uriparser

Clone
Source Code
GIT

Blame SOURCES/uriparser-0.7.5-CVE-2018-19199-fix.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta
  1.   c7
  2.   SOURCES
  3.   uriparser-0.7.5-CVE-2018-19199-fix.patch
Blob History Raw
4b1602 
From f76275d4a91b28d687250525d3a0c5509bbd666f Mon Sep 17 00:00:00 2001
4b1602 
From: Sebastian Pipping <sebastian@pipping.org>
4b1602 
Date: Sun, 23 Sep 2018 21:30:39 +0200
4b1602 
Subject: [PATCH] UriQuery.c: Catch integer overflow in ComposeQuery and ...Ex
4b1602
4b1602 
---
4b1602 
 lib/UriQuery.c | 14 ++++++++++++--
4b1602 
 1 files changed, 12 insertions(+), 2 deletions(-)
4b1602
4b1602 
diff --git a/lib/UriQuery.c b/lib/UriQuery.c
4b1602 
index 45acf5a..9165ec8 100644
4b1602 
--- a/lib/UriQuery.c
4b1602 
+++ b/lib/UriQuery.c
4b1602 
@@ -64,6 +64,10 @@
4b1602
4b1602
4b1602
4b1602 
+#include <limits.h>
4b1602 
+
4b1602 
+
4b1602 
+
4b1602 
 static int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest,
4b1602 
 		const URI_TYPE(QueryList) * queryList,
4b1602 
 		int maxChars, int * charsWritten, int * charsRequired,
4b1602 
@@ -197,9 +201,15 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest,
4b1602 
 		const URI_CHAR * const value = queryList->value;
4b1602 
 		const int worstCase = (normalizeBreaks == URI_TRUE ? 6 : 3);
4b1602 
 		const int keyLen = (key == NULL) ? 0 : (int)URI_STRLEN(key);
4b1602 
-		const int keyRequiredChars = worstCase * keyLen;
4b1602 
+		int keyRequiredChars;
4b1602 
 		const int valueLen = (value == NULL) ? 0 : (int)URI_STRLEN(value);
4b1602 
-		const int valueRequiredChars = worstCase * valueLen;
4b1602 
+		int valueRequiredChars;
4b1602 
+
4b1602 
+		if ((keyLen >= INT_MAX / worstCase) || (valueLen >= INT_MAX / worstCase)) {
4b1602 
+			return URI_ERROR_OUTPUT_TOO_LARGE;
4b1602 
+		}
4b1602 
+		keyRequiredChars = worstCase * keyLen;
4b1602 
+		valueRequiredChars = worstCase * valueLen;
4b1602
4b1602 
 		if (dest == NULL) {
4b1602 
 			if (firstItem == URI_TRUE) {

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation