Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: unblock
Severity: normal
Coin,
This upload fixes a nasty hang with security implications (see #773041).
It only affects wheezy through this library. The patch is quite small
and that's the only change (debdiff attached).
Command:
unblock libmspack/0.4-2
Thanks.
--
Marc Dequènes
diff -Nru libmspack-0.4/debian/changelog libmspack-0.4/debian/changelog
--- libmspack-0.4/debian/changelog 2013-08-16 23:52:26.000000000 +0200
+++ libmspack-0.4/debian/changelog 2014-12-30 17:44:28.000000000 +0100
@@ -1,3 +1,10 @@
+libmspack (0.4-2) unstable; urgency=medium
+
+ * Added patch 'qtmd-fix-frame_end-overflow.patch' to fix an overflow
+ causing an infinite loop in some situation (Closes: #773041).
+
+ -- Marc Dequènes (Duck) <d...@duckcorp.org> Tue, 30 Dec 2014 17:40:47 +0100
+
libmspack (0.4-1) unstable; urgency=low
* Initial release. (Closes: #711232)
diff -Nru libmspack-0.4/debian/patches/qtmd-fix-frame_end-overflow.patch libmspack-0.4/debian/patches/qtmd-fix-frame_end-overflow.patch
--- libmspack-0.4/debian/patches/qtmd-fix-frame_end-overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ libmspack-0.4/debian/patches/qtmd-fix-frame_end-overflow.patch 2014-12-30 17:30:17.000000000 +0100
@@ -0,0 +1,62 @@
+From a0449d2079c4ba5822e6567ad7094c10108f16cd Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
+Date: Tue, 23 Dec 2014 21:20:43 +0100
+Subject: libmspack: qtmd: fix frame_end overflow
+
+Debian bts #773041, #772891 contains a report of a .cab file which
+causes an endless loop.
+Eric Sharkey diagnosed the problem as frame_end is 32bit and overflows
+and the result the loop makes no progress.
+The problem seems that after the overflow, window_posn is larger than
+frame_end and therefore we never enter the loop to make progress. But we
+still have out_bytes >0 so we don't leave the outer loop either.
+
+Andreas Cadhalpun suggested to instead makeing frame_end 64bit, we could
+avoid the overflow by reordering the code the following way:
+
+original, with just out_bytes (without (qtm->o_end - qtm->o_ptr))
+| frame_end = window_posn + out_bytes;
+| if ((window_posn + frame_todo) < frame_end) {
+| frame_end = window_posn + frame_todo;
+| }
+
+replace frame_end in "if" with its content (and move the first frame_end
+into the else path)
+| if ((window_posn + frame_todo) < (window_posn + out_bytes))
+| frame_end = window_posn + frame_todo;
+| else
+| frame_end = window_posn + out_bytes;
+
+remove window_posn from "if" since it is the same both times.
+| if (frame_todo < out_bytes)
+| frame_end = window_posn + frame_todo;
+| else
+| frame_end = window_posn + out_bytes;
+
+Andreas added:
+|This works, because frame_todo is at most QTM_FRAME_SIZE = 32768.
+
+Suggested-as-patch: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
+[sebastian@breakpoint: added patch description]
+Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
+---
+ libmspack/mspack/qtmd.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/mspack/qtmd.c b/mspack/qtmd.c
+index 12b27f5608c4..e584aef8e576 100644
+--- a/mspack/qtmd.c
++++ b/mspack/qtmd.c
+@@ -296,9 +296,10 @@ int qtmd_decompress(struct qtmd_stream *qtm, off_t out_bytes) {
+
+ /* decode more, up to the number of bytes needed, the frame boundary,
+ * or the window boundary, whichever comes first */
+- frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));
+- if ((window_posn + frame_todo) < frame_end) {
++ if (frame_todo < (out_bytes - (qtm->o_end - qtm->o_ptr))) {
+ frame_end = window_posn + frame_todo;
++ } else {
++ frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));
+ }
+ if (frame_end > qtm->window_size) {
+ frame_end = qtm->window_size;
diff -Nru libmspack-0.4/debian/patches/series libmspack-0.4/debian/patches/series
--- libmspack-0.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libmspack-0.4/debian/patches/series 2014-12-30 17:10:37.000000000 +0100
@@ -0,0 +1 @@
+qtmd-fix-frame_end-overflow.patch
