Resolves: CVE-2016-8617 - base64: check for integer overflow on large input

0020-curl-7.47.1-CVE-2016-8617.patch

@@ -0,0 +1,35 @@
+From f4145e2024d0785d6e72f5963585e7a43cace9cd Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 28 Sep 2016 00:05:12 +0200
+Subject: [PATCH] base64: check for integer overflow on large input
+
+CVE-2016-8617
+
+Bug: https://curl.haxx.se/docs/adv_20161102C.html
+Reported-by: Cure53
+
+Upstream-commit: efd24d57426bd77c9b5860e6b297904703750412
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/base64.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/base64.c b/lib/base64.c
+index 2212115..8db578c 100644
+--- a/lib/base64.c
++++ b/lib/base64.c
+@@ -190,6 +190,11 @@ static CURLcode base64_encode(const char *table64,
+   if(0 == insize)
+     insize = strlen(indata);
+ 
++#if SIZEOF_SIZE_T == 4
++  if(insize > UINT_MAX/4)
++    return CURLE_OUT_OF_MEMORY;
++#endif
++
+   base64data = output = malloc(insize*4/3+4);
+   if(NULL == output)
+     return CURLE_OUT_OF_MEMORY;
+-- 
+2.7.4
+

curl.spec

@@ -49,6 +49,9 @@ Patch18:  0018-curl-7.47.1-CVE-2016-8618.patch
 # fix double-free in krb5 code (CVE-2016-8619)
 Patch19:  0019-curl-7.47.1-CVE-2016-8619.patch
 
+# base64: check for integer overflow on large input (CVE-2016-8617)
+Patch20:  0020-curl-7.47.1-CVE-2016-8617.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -176,6 +179,7 @@ documentation of the library, too.
 %patch17 -p1
 %patch18 -p1
 %patch19 -p1
+%patch20 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -292,6 +296,7 @@ rm -rf $RPM_BUILD_ROOT
 
 %changelog
 * Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-9
+- base64: check for integer overflow on large input (CVE-2016-8617)
 - fix double-free in krb5 code (CVE-2016-8619)
 - fix double-free in curl_maprintf() (CVE-2016-8618)
 - fix glob parser write/read out of bounds (CVE-2016-8620)