Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
libplist.4095
libplist-boo1029631-32bit.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libplist-boo1029631-32bit.patch of Package libplist.4095
From dccd9290745345896e3a4a73154576a599fd8b7b Mon Sep 17 00:00:00 2001 From: Nikias Bassen <nikias@gmx.li> Date: Sun, 26 Mar 2017 20:06:57 +0200 Subject: [PATCH] bplist: Make sure sanity checks work on 32bit platforms Because on 32-bit platforms 32-bit pointers and 64-bit sizes have been used for the sanity checks of the offset table and object references, the range checks would fail in certain interger-overflowish situations, causing heap buffer overflows or other unwanted behavior. Fixed by wideing the operands in question to 64-bit. Backported by Mike Gorse <mgorse@suse.com> --- diff -urp libplist-1.12.orig/src/bplist.c libplist-1.12/src/bplist.c --- libplist-1.12.orig/src/bplist.c 2017-05-01 13:03:48.037796333 -0500 +++ libplist-1.12/src/bplist.c 2017-05-02 14:12:25.669352857 -0500 @@ -544,6 +544,8 @@ static plist_t parse_bin_node(struct bpl { uint16_t type = 0; uint64_t size = 0; + uint64_t pobject = 0; + uint64_t poffset_table = (uint64_t)bplist->offset_table; if (!object) return NULL; @@ -577,6 +579,8 @@ static plist_t parse_bin_node(struct bpl } } + pobject = (uint64_t)*object; + switch (type) { @@ -608,12 +612,12 @@ static plist_t parse_bin_node(struct bpl } case BPLIST_UINT: - if (*object - bplist->data + (uint64_t)(1 << size) >= bplist->size) + if (pobject + (uint64_t)(1 << size) > poffset_table) return NULL; return parse_uint_node(object, size); case BPLIST_REAL: - if (*object - bplist->data + (uint64_t)(1 << size) >= bplist->size) + if (pobject + (uint64_t)(1 << size) > poffset_table) return NULL; return parse_real_node(object, size); @@ -621,36 +625,38 @@ static plist_t parse_bin_node(struct bpl if (3 != size) return NULL; else - if (*object - bplist->data + (uint64_t)(1 << size) >= bplist->size) + if (pobject + (uint64_t)(1 << size) > poffset_table) return NULL; return parse_date_node(object, size); case BPLIST_DATA: - if (*object - bplist->data + size >= bplist->size) + if (pobject + size < pobject || pobject + size > poffset_table) return NULL; return parse_data_node(object, size); case BPLIST_STRING: - if (*object - bplist->data + size >= bplist->size) + if (pobject + size < pobject || pobject + size > poffset_table) return NULL; return parse_string_node(object, size); case BPLIST_UNICODE: - if (*object - bplist->data + size * 2 >= bplist->size) + if (pobject + size*2 < pobject || pobject + size*2 > poffset_table) return NULL; return parse_unicode_node(object, size); case BPLIST_SET: case BPLIST_ARRAY: - if (*object - bplist->data + size >= bplist->size) + if (pobject + size < pobject || pobject + size > poffset_table) return NULL; return parse_array_node(bplist, object, size); case BPLIST_UID: + if (pobject + size+1 > poffset_table) + return NULL; return parse_uid_node(object, size); case BPLIST_DICT: - if (*object - bplist->data + size >= bplist->size) + if (pobject + size < pobject || pobject + size > poffset_table) return NULL; return parse_dict_node(bplist, object, size);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor