diff options
| author | Tatsuya Kinoshita <tats@debian.org> | 2021-02-28 21:55:50 +0000 |
|---|---|---|
| committer | Tatsuya Kinoshita <tats@debian.org> | 2021-02-28 21:55:50 +0000 |
| commit | 60e58f54c1519537abca22d6b8e677c2ae5347e4 (patch) | |
| tree | 5614abe0278d45c93a3931ccbbb6e6c43c0e87cf | |
| parent | Update debian/changelog to 0.5.3+git20210102-5 (diff) | |
| download | w3m-60e58f54c1519537abca22d6b8e677c2ae5347e4.tar.gz w3m-60e58f54c1519537abca22d6b8e677c2ae5347e4.zip | |
Update 030_str-overflow.patch to avoid zero size allocation in Str.c
| -rw-r--r-- | debian/patches/030_str-overflow.patch | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/debian/patches/030_str-overflow.patch b/debian/patches/030_str-overflow.patch index fa8db0d..d7b08f3 100644 --- a/debian/patches/030_str-overflow.patch +++ b/debian/patches/030_str-overflow.patch @@ -4,12 +4,15 @@ Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31397 Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31467 Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31500 + Prevent zero size allocation in Str.c Prevent unintentional integer overflow in Strcat_charp_n Prevent unintentional integer overflow in Strgrow One more fix overflow due to Strgrow Fix potential overflow due to Str.c Fix integer overflow due to Strgrow +diff --git a/Str.c b/Str.c +index 61fe3ca..03e0950 100644 --- a/Str.c +++ b/Str.c @@ -21,10 +21,12 @@ @@ -40,7 +43,7 @@ Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31500 return Strnew(); x = GC_MALLOC(sizeof(struct _Str)); n = strlen(p) + 1; -+ if (n < 0 || n > STR_SIZE_MAX) ++ if (n <= 0 || n > STR_SIZE_MAX) + n = STR_SIZE_MAX; x->ptr = GC_MALLOC_ATOMIC(n); x->area_size = n; @@ -111,7 +114,7 @@ Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31500 + if (n < 0) + n = STR_SIZE_MAX - 1; newlen = x->length + n + 1; -+ if (newlen < 0 || newlen > STR_SIZE_MAX) { ++ if (newlen <= 0 || newlen > STR_SIZE_MAX) { + newlen = STR_SIZE_MAX; + n = newlen - x->length - 1; + } @@ -119,7 +122,7 @@ Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31500 char *old = x->ptr; - newlen = newlen * 3 / 2; + newlen += newlen / 2; -+ if (newlen < 0 || newlen > STR_SIZE_MAX) ++ if (newlen <= 0 || newlen > STR_SIZE_MAX) + newlen = STR_SIZE_MAX; x->ptr = GC_MALLOC_ATOMIC(newlen); x->area_size = newlen; @@ -132,7 +135,7 @@ Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31500 + newlen = x->area_size + x->area_size / 5; if (newlen == x->area_size) newlen += 2; -+ if (newlen < 0 || newlen > STR_SIZE_MAX) { ++ if (newlen <= 0 || newlen > STR_SIZE_MAX) { + newlen = STR_SIZE_MAX; + if (x->length + 1 >= newlen) + x->length = newlen - 2; |