aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/030_str-overflow.patch33
1 files changed, 23 insertions, 10 deletions
diff --git a/debian/patches/030_str-overflow.patch b/debian/patches/030_str-overflow.patch
index 47aa4a7..fa8db0d 100644
--- a/debian/patches/030_str-overflow.patch
+++ b/debian/patches/030_str-overflow.patch
@@ -1,9 +1,14 @@
Subject: Fix overflow due to Str.c
Author: Tatsuya Kinoshita <tats@debian.org>
Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31397
+Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31467
+Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31500
- * Str.c: Fix potential overflow due to Str.c.
- * Str.c: Fix integer overflow due to Strgrow.
+ Prevent unintentional integer overflow in Strcat_charp_n
+ Prevent unintentional integer overflow in Strgrow
+ One more fix overflow due to Strgrow
+ Fix potential overflow due to Str.c
+ Fix integer overflow due to Strgrow
--- a/Str.c
+++ b/Str.c
@@ -16,7 +21,7 @@ Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31397
#include "myctype.h"
#define INITIAL_STR_SIZE 32
-+#define STR_SIZE_MAX INT_MAX
++#define STR_SIZE_MAX (INT_MAX - 1)
#ifdef STR_DEBUG
/* This is obsolete, because "Str" can handle a '\0' character now. */
@@ -112,18 +117,26 @@ Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31397
+ }
if (x->area_size < newlen) {
char *old = x->ptr;
- newlen = newlen * 3 / 2;
+- newlen = newlen * 3 / 2;
++ newlen += newlen / 2;
+ if (newlen < 0 || newlen > STR_SIZE_MAX)
+ newlen = STR_SIZE_MAX;
x->ptr = GC_MALLOC_ATOMIC(newlen);
x->area_size = newlen;
bcopy((void *)old, (void *)x->ptr, x->length);
-@@ -237,9 +259,12 @@ Strgrow(Str x)
- newlen = x->area_size * 6 / 5;
+@@ -234,12 +256,18 @@ Strgrow(Str x)
+ {
+ char *old = x->ptr;
+ int newlen;
+- newlen = x->area_size * 6 / 5;
++ newlen = x->area_size + x->area_size / 5;
if (newlen == x->area_size)
newlen += 2;
-+ if (newlen < 0 || newlen > STR_SIZE_MAX)
++ if (newlen < 0 || newlen > STR_SIZE_MAX) {
+ newlen = STR_SIZE_MAX;
++ if (x->length + 1 >= newlen)
++ x->length = newlen - 2;
++ }
x->ptr = GC_MALLOC_ATOMIC(newlen);
x->area_size = newlen;
bcopy((void *)old, (void *)x->ptr, x->length);
@@ -131,7 +144,7 @@ Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31397
GC_free(old);
}
-@@ -315,6 +340,10 @@ Strdelete(Str s, int pos, int n)
+@@ -315,6 +343,10 @@ Strdelete(Str s, int pos, int n)
{
int i;
STR_LENGTH_CHECK(s);
@@ -142,7 +155,7 @@ Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31397
if (s->length <= pos + n) {
s->ptr[pos] = '\0';
s->length = pos;
-@@ -330,6 +359,8 @@ void
+@@ -330,6 +362,8 @@ void
Strtruncate(Str s, int pos)
{
STR_LENGTH_CHECK(s);
@@ -151,7 +164,7 @@ Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31397
s->ptr[pos] = '\0';
s->length = pos;
}
-@@ -342,7 +373,7 @@ Strshrink(Str s, int n)
+@@ -342,7 +376,7 @@ Strshrink(Str s, int n)
s->length = 0;
s->ptr[0] = '\0';
}