aboutsummaryrefslogtreecommitdiffstats
path: root/debian
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2021-02-28 21:55:50 +0000
committerTatsuya Kinoshita <tats@debian.org>2021-02-28 21:55:50 +0000
commit60e58f54c1519537abca22d6b8e677c2ae5347e4 (patch)
tree5614abe0278d45c93a3931ccbbb6e6c43c0e87cf /debian
parentUpdate debian/changelog to 0.5.3+git20210102-5 (diff)
downloadw3m-60e58f54c1519537abca22d6b8e677c2ae5347e4.tar.gz
w3m-60e58f54c1519537abca22d6b8e677c2ae5347e4.zip
Update 030_str-overflow.patch to avoid zero size allocation in Str.c
Diffstat (limited to 'debian')
-rw-r--r--debian/patches/030_str-overflow.patch11
1 files changed, 7 insertions, 4 deletions
diff --git a/debian/patches/030_str-overflow.patch b/debian/patches/030_str-overflow.patch
index fa8db0d..d7b08f3 100644
--- a/debian/patches/030_str-overflow.patch
+++ b/debian/patches/030_str-overflow.patch
@@ -4,12 +4,15 @@ Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31397
Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31467
Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31500
+ Prevent zero size allocation in Str.c
Prevent unintentional integer overflow in Strcat_charp_n
Prevent unintentional integer overflow in Strgrow
One more fix overflow due to Strgrow
Fix potential overflow due to Str.c
Fix integer overflow due to Strgrow
+diff --git a/Str.c b/Str.c
+index 61fe3ca..03e0950 100644
--- a/Str.c
+++ b/Str.c
@@ -21,10 +21,12 @@
@@ -40,7 +43,7 @@ Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31500
return Strnew();
x = GC_MALLOC(sizeof(struct _Str));
n = strlen(p) + 1;
-+ if (n < 0 || n > STR_SIZE_MAX)
++ if (n <= 0 || n > STR_SIZE_MAX)
+ n = STR_SIZE_MAX;
x->ptr = GC_MALLOC_ATOMIC(n);
x->area_size = n;
@@ -111,7 +114,7 @@ Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31500
+ if (n < 0)
+ n = STR_SIZE_MAX - 1;
newlen = x->length + n + 1;
-+ if (newlen < 0 || newlen > STR_SIZE_MAX) {
++ if (newlen <= 0 || newlen > STR_SIZE_MAX) {
+ newlen = STR_SIZE_MAX;
+ n = newlen - x->length - 1;
+ }
@@ -119,7 +122,7 @@ Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31500
char *old = x->ptr;
- newlen = newlen * 3 / 2;
+ newlen += newlen / 2;
-+ if (newlen < 0 || newlen > STR_SIZE_MAX)
++ if (newlen <= 0 || newlen > STR_SIZE_MAX)
+ newlen = STR_SIZE_MAX;
x->ptr = GC_MALLOC_ATOMIC(newlen);
x->area_size = newlen;
@@ -132,7 +135,7 @@ Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31500
+ newlen = x->area_size + x->area_size / 5;
if (newlen == x->area_size)
newlen += 2;
-+ if (newlen < 0 || newlen > STR_SIZE_MAX) {
++ if (newlen <= 0 || newlen > STR_SIZE_MAX) {
+ newlen = STR_SIZE_MAX;
+ if (x->length + 1 >= newlen)
+ x->length = newlen - 2;