Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
Archiving
ucl
05-Fix-double-free.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 05-Fix-double-free.patch of Package ucl
From: John Reiser <jreiser@users.sourceforge.net> Date: Mon, 27 Aug 2018 20:32:39 +0200 Subject: Fix double free (memory clobbered) bug visible in upx Patch from https://github.com/upx/upx/issues/207 to fix a crash in upx occurring on malformed input. The "m_len + 1" in fail(olen + (m_len + 1) > oend, UCL_E_OUTPUT_OVERRUN); should match the "m_len + 1" in olen += m_len + 1; because it is the number of increments of olen in the copy step: dst[olen++] = *m_pos++; do dst[olen++] = *m_pos++; while (--m_len > 0); Bugs-Debian: https://bugs.debian.org/907426 --- src/n2b_d.c | 2 +- src/n2e_d.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/n2b_d.c b/src/n2b_d.c index 26b6ca5..2725c59 100644 --- a/src/n2b_d.c +++ b/src/n2b_d.c @@ -101,7 +101,7 @@ m_len += 2; } m_len += (m_off > 0xd00); - fail(olen + m_len > oend, UCL_E_OUTPUT_OVERRUN); + fail(olen + m_len + 1> oend, UCL_E_OUTPUT_OVERRUN); fail(m_off > olen, UCL_E_LOOKBEHIND_OVERRUN); #ifdef TEST_OVERLAP olen += m_len + 1; diff --git a/src/n2e_d.c b/src/n2e_d.c index efddb49..d40059d 100644 --- a/src/n2e_d.c +++ b/src/n2e_d.c @@ -109,7 +109,7 @@ m_len += 3; } m_len += (m_off > 0x500); - fail(olen + m_len > oend, UCL_E_OUTPUT_OVERRUN); + fail(olen + m_len + 1> oend, UCL_E_OUTPUT_OVERRUN); fail(m_off > olen, UCL_E_LOOKBEHIND_OVERRUN); #ifdef TEST_OVERLAP olen += m_len + 1;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor