Bug#326767: Failure to use return value from realloc (!)

[Ian Jackson]

Package: wget
Version: 1.9.1-12
Severity: grave

In http://bugzilla.ubuntu.com/show_bug.cgi?id=12604 a user reported a
problem with Ubuntu's version of wget which examination of the Debian
source shows is present there too.

Basically, three calls to xrealloc do not update the variable used to
remember where the buffer is, which obviously breaks (and may be a
security problem) if xrealloc moves the buffer.

 $ find wget-1.9.1 -name '*.[ch]' | xargs grep 'realloc (dest'
 wget-1.9.1/src/log.c:                           xrealloc (dest, (len *= 2 + 
MB_CUR_MAX));
 wget-1.9.1/src/log.c:                           xrealloc (dest, (len *= 2 + 4 
* MB_CUR_MAX));
 wget-1.9.1/src/log.c:           xrealloc (dest, (j + MB_CUR_MAX));

Note that this is in wget-1.9.1-12 after debian/rules build.  The bug
was introduced in a security patch.  wget-1.10 does not have the same
problem because it doesn't need the same security patch.

The patch I applied to the Ubuntu package is enclosed for your comfort
and convenience.

Thanks,
Ian.

diff -u wget-1.9.1/debian/changelog wget-1.9.1/debian/changelog
--- wget-1.9.1/debian/changelog
+++ wget-1.9.1/debian/changelog
@@ -1,3 +1,11 @@
+wget (1.9.1-10ubuntu2.2) hoary-security; urgency=low
+
+  * Fix for broken use of realloc in security update in
+    wget-filter-controls.patch.v3--multibyte-aware patch.
+    Fixes ubuntu bug 12604.
+
+ -- Ian Jackson <[EMAIL PROTECTED]>  Mon,  5 Sep 2005 16:21:42 +0100
+
 wget (1.9.1-10ubuntu2.1) hoary-security; urgency=low
 
   * SECURITY UPDATE: Fix arbitrary file overwriting and code execution.
diff -u 
wget-1.9.1/debian/patches/wget-filter-controls.patch.v3--multibyte-aware 
wget-1.9.1/debian/patches/wget-filter-controls.patch.v3--multibyte-aware
--- wget-1.9.1/debian/patches/wget-filter-controls.patch.v3--multibyte-aware
+++ wget-1.9.1/debian/patches/wget-filter-controls.patch.v3--multibyte-aware
@@ -101,7 +101,7 @@
 -                      dest[j++] = c;
 +              } else if (iswprint(c) || iswblank(c) || c == L'\n') {
 +                      if (len - j < MB_CUR_MAX)
-+                              xrealloc (dest, (len *= 2 + MB_CUR_MAX));
++                              dest = xrealloc (dest, (len *= 2 + MB_CUR_MAX));
 +                      j += wctomb (dest + j, c);
                } else {
 -                      dest[j++] = '\\';
@@ -110,7 +110,7 @@
 -                      dest[j++] = '0' + (c & 7);
 +escape:
 +                      if (len - j < (4 * MB_CUR_MAX))
-+                              xrealloc (dest, (len *= 2 + 4 * MB_CUR_MAX));
++                              dest = xrealloc (dest, (len *= 2 + 4 * 
MB_CUR_MAX));
 +                      for (;ret > 0; i++, ret--) {
 +                              c = (*src)[i];
 +
@@ -128,7 +128,7 @@
        }
 -      dest[j] = '\0';
 +      if (len - j < MB_CUR_MAX)
-+              xrealloc (dest, (j + MB_CUR_MAX));
++              dest = xrealloc (dest, (j + MB_CUR_MAX));
 +      (void) wctomb (dest + j, L'\0');
  
        xfree (*src);


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]