Bug#931487: libgcab-1.0-0: corrupts extracted data

Sat, 06 Jul 2019 01:27:56 -0700 

Package: libgcab-1.0-0
Version: 1.2-2
Severity: normal
Tags: patch

Dear Maintainer,

libgcab has an overflow bug which causes corruption when extracting
files; see https://gitlab.gnome.org/GNOME/gcab/issues/12 for details
and an example.

https://gitlab.gnome.org/GNOME/gcab/commit/5619f4cd2ca3108c8dea17ba656b5ce44a60ca29
fixes this.

Regards,

Stephen


-- System Information:
Debian Release: 9.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 
'unstable-debug'), (100, 'testing-debug'), (100, 'unstable'), (100, 'testing'), 
(1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-9-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libgcab-1.0-0 depends on:
ii  libc6         2.24-11+deb9u4
ii  libglib2.0-0  2.50.3-2
ii  zlib1g        1:1.2.8.dfsg-5

libgcab-1.0-0 recommends no packages.

libgcab-1.0-0 suggests no packages.

-- no debconf information

commit 5619f4cd2ca3108c8dea17ba656b5ce44a60ca29
Author: Marc-André Lureau <marcandre.lur...@redhat.com>
Date:   Fri Jan 11 19:42:40 2019 +0400

    Revert "decomp: fix gcc warning strict-overflow"
    
    The warning doesn't happen with current build-sys.
    
    The overlapping behaviour is undefined with memcpy. memmove doesn't
    have the same semantic either than the loop. Let's revert!
    
    Fixes:
    https://gitlab.gnome.org/GNOME/gcab/issues/12
    
    This reverts commit e48074952743f53d8ac529d4debc421e7e0f6937.
    
    Signed-off-by: Marc-André Lureau <marcandre.lur...@redhat.com>

diff --git a/libgcab/decomp.c b/libgcab/decomp.c
index 64d97f8..0c2b184 100644
--- a/libgcab/decomp.c
+++ b/libgcab/decomp.c
@@ -1015,9 +1015,7 @@ int LZXfdi_decomp(int inlen, int outlen, fdi_decomp_state 
*decomp_state) {
             window_posn += match_length;
 
             /* copy match data - no worries about destination wraps */
-            memcpy(rundest, runsrc, match_length);
-            rundest += match_length;
-            runsrc += match_length;
+            while (match_length-- > 0) *rundest++ = *runsrc++;
           }
         }
         break;
@@ -1106,9 +1104,7 @@ int LZXfdi_decomp(int inlen, int outlen, fdi_decomp_state 
*decomp_state) {
             window_posn += match_length;
 
             /* copy match data - no worries about destination wraps */
-            memcpy(rundest, runsrc, match_length);
-            rundest += match_length;
-            runsrc += match_length;
+            while (match_length-- > 0) *rundest++ = *runsrc++;
           }
         }
         break;

Reply via email to