Control: tags 832959 + pending
Dear maintainer,
I've prepared an NMU for xmlrpc-epi (versioned as 0.54.2-1.2) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
diff -u xmlrpc-epi-0.54.2/debian/changelog xmlrpc-epi-0.54.2/debian/changelog
--- xmlrpc-epi-0.54.2/debian/changelog
+++ xmlrpc-epi-0.54.2/debian/changelog
@@ -1,3 +1,11 @@
+xmlrpc-epi (0.54.2-1.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn
+ (Closes: #832959)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Sat, 13 Aug 2016 19:11:42 +0200
+
xmlrpc-epi (0.54.2-1.1) unstable; urgency=low
* Non-maintainer upload.
only in patch2:
unchanged:
--- xmlrpc-epi-0.54.2.orig/src/simplestring.c
+++ xmlrpc-epi-0.54.2/src/simplestring.c
@@ -167,6 +167,10 @@
}
/******/
+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t)-1)
+#endif
+
/****f* FUNC/simplestring_addn
* NAME
* simplestring_addn
@@ -185,18 +189,31 @@
* simplestring_add ()
* SOURCE
*/
-void simplestring_addn(simplestring* target, const char* source, int add_len) {
+void simplestring_addn(simplestring* target, const char* source, size_t add_len) {
+ size_t newsize = target->size, incr = 0;
if(target && source) {
if(!target->str) {
simplestring_init_str(target);
}
+
+ if((SIZE_MAX - add_len) < target->len || (SIZE_MAX - add_len - 1) < target->len) {
+ /* check for overflows, if there's a potential overflow do nothing */
+ return;
+ }
+
if(target->len + add_len + 1 > target->size) {
/* newsize is current length + new length */
- int newsize = target->len + add_len + 1;
- int incr = target->size * 2;
+ newsize = target->len + add_len + 1;
+ incr = target->size * 2;
/* align to SIMPLESTRING_INCR increments */
- newsize = newsize - (newsize % incr) + incr;
+ if (incr) {
+ newsize = newsize - (newsize % incr) + incr;
+ }
+ if(newsize < (target->len + add_len + 1)) {
+ /* some kind of overflow happened */
+ return;
+ }
target->str = (char*)realloc(target->str, newsize);
target->size = target->str ? newsize : 0;
only in patch2:
unchanged:
--- xmlrpc-epi-0.54.2.orig/src/simplestring.h
+++ xmlrpc-epi-0.54.2/src/simplestring.h
@@ -63,7 +63,7 @@
void simplestring_clear(simplestring* string);
void simplestring_free(simplestring* string);
void simplestring_add(simplestring* string, const char* add);
-void simplestring_addn(simplestring* string, const char* add, int add_len);
+void simplestring_addn(simplestring* string, const char* add, size_t add_len);
#ifdef __cplusplus
}
