Resolves: CVE-2016-8617 - base64: check for integer overflow on large input
This commit is contained in:
parent
48891bfbad
commit
aab38786d3
|
@ -0,0 +1,35 @@
|
|||
From f4145e2024d0785d6e72f5963585e7a43cace9cd Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Wed, 28 Sep 2016 00:05:12 +0200
|
||||
Subject: [PATCH] base64: check for integer overflow on large input
|
||||
|
||||
CVE-2016-8617
|
||||
|
||||
Bug: https://curl.haxx.se/docs/adv_20161102C.html
|
||||
Reported-by: Cure53
|
||||
|
||||
Upstream-commit: efd24d57426bd77c9b5860e6b297904703750412
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/base64.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/lib/base64.c b/lib/base64.c
|
||||
index 2212115..8db578c 100644
|
||||
--- a/lib/base64.c
|
||||
+++ b/lib/base64.c
|
||||
@@ -190,6 +190,11 @@ static CURLcode base64_encode(const char *table64,
|
||||
if(0 == insize)
|
||||
insize = strlen(indata);
|
||||
|
||||
+#if SIZEOF_SIZE_T == 4
|
||||
+ if(insize > UINT_MAX/4)
|
||||
+ return CURLE_OUT_OF_MEMORY;
|
||||
+#endif
|
||||
+
|
||||
base64data = output = malloc(insize*4/3+4);
|
||||
if(NULL == output)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -49,6 +49,9 @@ Patch18: 0018-curl-7.47.1-CVE-2016-8618.patch
|
|||
# fix double-free in krb5 code (CVE-2016-8619)
|
||||
Patch19: 0019-curl-7.47.1-CVE-2016-8619.patch
|
||||
|
||||
# base64: check for integer overflow on large input (CVE-2016-8617)
|
||||
Patch20: 0020-curl-7.47.1-CVE-2016-8617.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
|
@ -176,6 +179,7 @@ documentation of the library, too.
|
|||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
|
@ -292,6 +296,7 @@ rm -rf $RPM_BUILD_ROOT
|
|||
|
||||
%changelog
|
||||
* Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-9
|
||||
- base64: check for integer overflow on large input (CVE-2016-8617)
|
||||
- fix double-free in krb5 code (CVE-2016-8619)
|
||||
- fix double-free in curl_maprintf() (CVE-2016-8618)
|
||||
- fix glob parser write/read out of bounds (CVE-2016-8620)
|
||||
|
|
Loading…
Reference in New Issue