Fix CVE-2018-17942
This commit is contained in:
starlet-dx
parent
fe87103e67
commit
f48866cfcc
84
CVE-2018-17942.patch
Normal file
84
CVE-2018-17942.patch
Normal file
@ -0,0 +1,84 @@
|
|||||||
|
From ac5a6fe5b87b4d61e03645598b33c33d964c62f0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Bruno Haible <bruno@clisp.org>
|
||||||
|
Date: Sun, 23 Sep 2018 14:13:52 +0200
|
||||||
|
Subject: [PATCH] vasnprintf: Fix heap memory overrun bug.
|
||||||
|
|
||||||
|
Reported by Ben Pfaff <blp@cs.stanford.edu> in
|
||||||
|
<https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.
|
||||||
|
|
||||||
|
* lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
|
||||||
|
memory.
|
||||||
|
* tests/test-vasnprintf.c (test_function): Add another test.
|
||||||
|
---
|
||||||
|
ChangeLog | 9 +++++++++
|
||||||
|
lib/vasnprintf.c | 4 +++-
|
||||||
|
tests/test-vasnprintf.c | 21 ++++++++++++++++++++-
|
||||||
|
3 files changed, 32 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ChangeLog b/ChangeLog
|
||||||
|
index 7daeebe..1de72f0 100644
|
||||||
|
--- a/ChangeLog
|
||||||
|
+++ b/ChangeLog
|
||||||
|
@@ -1,3 +1,12 @@
|
||||||
|
+2018-09-23 Bruno Haible <bruno@clisp.org>
|
||||||
|
+
|
||||||
|
+ vasnprintf: Fix heap memory overrun bug.
|
||||||
|
+ Reported by Ben Pfaff <blp@cs.stanford.edu> in
|
||||||
|
+ <https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.
|
||||||
|
+ * lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
|
||||||
|
+ memory.
|
||||||
|
+ * tests/test-vasnprintf.c (test_function): Add another test.
|
||||||
|
+
|
||||||
|
2018-07-17 Paul Eggert <eggert@cs.ucla.edu>
|
||||||
|
|
||||||
|
hard-locale: simplify by removing hard-locale.m4
|
||||||
|
diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c
|
||||||
|
index 56ffbe3..30d021b 100644
|
||||||
|
--- a/lib/vasnprintf.c
|
||||||
|
+++ b/lib/vasnprintf.c
|
||||||
|
@@ -860,7 +860,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes)
|
||||||
|
size_t a_len = a.nlimbs;
|
||||||
|
/* 0.03345 is slightly larger than log(2)/(9*log(10)). */
|
||||||
|
size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
|
||||||
|
- char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes));
|
||||||
|
+ /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
|
||||||
|
+ digits of a, followed by 1 byte for the terminating NUL. */
|
||||||
|
+ char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1));
|
||||||
|
if (c_ptr != NULL)
|
||||||
|
{
|
||||||
|
char *d_ptr = c_ptr;
|
||||||
|
diff --git a/tests/test-vasnprintf.c b/tests/test-vasnprintf.c
|
||||||
|
index 19731bc..93d81d7 100644
|
||||||
|
--- a/tests/test-vasnprintf.c
|
||||||
|
+++ b/tests/test-vasnprintf.c
|
||||||
|
@@ -53,7 +53,26 @@ test_function (char * (*my_asnprintf) (char *, size_t *, const char *, ...))
|
||||||
|
ASSERT (result != NULL);
|
||||||
|
ASSERT (strcmp (result, "12345") == 0);
|
||||||
|
ASSERT (length == 5);
|
||||||
|
- if (size < 6)
|
||||||
|
+ if (size < 5 + 1)
|
||||||
|
+ ASSERT (result != buf);
|
||||||
|
+ ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0);
|
||||||
|
+ if (result != buf)
|
||||||
|
+ free (result);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Note: This test assumes IEEE 754 representation of 'double' floats. */
|
||||||
|
+ for (size = 0; size <= 8; size++)
|
||||||
|
+ {
|
||||||
|
+ size_t length;
|
||||||
|
+ char *result;
|
||||||
|
+
|
||||||
|
+ memcpy (buf, "DEADBEEF", 8);
|
||||||
|
+ length = size;
|
||||||
|
+ result = my_asnprintf (buf, &length, "%2.0f", 1.6314159265358979e+125);
|
||||||
|
+ ASSERT (result != NULL);
|
||||||
|
+ ASSERT (strcmp (result, "163141592653589790215729350939528493057529598899734151772468186268423257777068536614838678161083520756952076273094236944990208") == 0);
|
||||||
|
+ ASSERT (length == 126);
|
||||||
|
+ if (size < 126 + 1)
|
||||||
|
ASSERT (result != buf);
|
||||||
|
ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0);
|
||||||
|
if (result != buf)
|
||||||
|
--
|
||||||
|
2.30.0
|
||||||
|
|
||||||
@ -1,10 +1,11 @@
|
|||||||
Name: gnulib
|
Name: gnulib
|
||||||
Version: 0
|
Version: 0
|
||||||
Release: 28.20180720git
|
Release: 29.20180720git
|
||||||
Summary: The GNU Portability Library
|
Summary: The GNU Portability Library
|
||||||
License: Public Domain and BSD and GPLv2+ and GPLv3 and GPLv3+ and LGPLv2 and LGPLv2+ and LGPLv3+
|
License: Public Domain and BSD and GPLv2+ and GPLv3 and GPLv3+ and LGPLv2 and LGPLv2+ and LGPLv3+
|
||||||
URL: https://www.gnu.org/software/gnulib
|
URL: https://www.gnu.org/software/gnulib
|
||||||
Source0: https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=snapshot;h=68df637;sf=tgz;name=gnulib-68df637.tar.gz#/gnulib-68df637.tar.gz
|
Source0: https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=snapshot;h=68df637;sf=tgz;name=gnulib-68df637.tar.gz#/gnulib-68df637.tar.gz
|
||||||
|
Patch0: CVE-2018-17942.patch
|
||||||
BuildRequires: perl-generators texinfo java-devel gettext-devel bison gperf libtool help2man git gcc_secure
|
BuildRequires: perl-generators texinfo java-devel gettext-devel bison gperf libtool help2man git gcc_secure
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -114,6 +115,9 @@ fi
|
|||||||
%license doc/COPYINGv2
|
%license doc/COPYINGv2
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Feb 23 2022 yaoxin <yaoxin30@huawei.com> - 0-29.20180720git
|
||||||
|
- Fix CVE-2018-17942
|
||||||
|
|
||||||
* Sun Mar 21 2021 lingsheng <lingsheng@huawei.com> - 0-28.20180720git
|
* Sun Mar 21 2021 lingsheng <lingsheng@huawei.com> - 0-28.20180720git
|
||||||
- Add gcc_secure to fix test_localeconv fail
|
- Add gcc_secure to fix test_localeconv fail
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user