libical/libical-timezone-use-after-free.patch
Michal Vyskocil d2fbb3222f Accepting request 505726 from home:mgorse:branches:devel:libraries:c_c++
- Add fixes for various crashes:
  libical-boo986631-read-past-end.patch
  libical-boo986631-check-prev-char.patch
  libical-parser-sanity-check.patch
  libical-timezone-use-after-free.patch
  libical-boo1015964-use-after-free.patch
  Fixes boo#986631 (CVE-2016-5827), boo#986639 (CVE-2016-5824),
  boo#1015964 (CVE-2016-9584), and boo#1044995.

OBS-URL: https://build.opensuse.org/request/show/505726
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libical?expand=0&rev=43
2017-06-26 06:09:35 +00:00

61 lines
2.0 KiB
Diff

From 6bcc779a17a2d286e4c3cb958ddf369cc01cb42c Mon Sep 17 00:00:00 2001
From: Allen Winter <allen.winter@kdab.com>
Date: Thu, 15 Dec 2016 18:17:10 -0500
Subject: [PATCH] icaltimezone.c - fix heap-use-after-free caused by
fetch_lat_long_from_string() issue#262
Backported by Mike Gorse <mgorse@suse.com>
---
diff -urp libical-2.0.0.orig/src/libical/icaltimezone.c libical-2.0.0/src/libical/icaltimezone.c
--- libical-2.0.0.orig/src/libical/icaltimezone.c 2015-12-28 15:44:53.000000000 -0600
+++ libical-2.0.0/src/libical/icaltimezone.c 2017-06-19 15:48:27.789017341 -0500
@@ -1520,39 +1520,39 @@ static int fetch_lat_long_from_string(co
/* We need to parse the latitude/longitude co-ordinates and location fields */
sptr = (char *)str;
- while (*sptr != '\t') {
+ while ((*sptr != '\t') && (*sptr != '\0')) {
sptr++;
}
temp = ++sptr;
- while (*sptr != '\t') {
+ while (*sptr != '\t' && *sptr != '\0') {
sptr++;
}
len = (ptrdiff_t) (sptr - temp);
lat = (char *)malloc(len + 1);
lat = strncpy(lat, temp, len);
lat[len] = '\0';
- while (*sptr != '\t') {
+ while ((*sptr != '\t') && (*sptr != '\0')) {
sptr++;
}
loc = ++sptr;
- while (!isspace((int)(*sptr))) {
+ while (!isspace((int)(*sptr)) && (*sptr != '\0')) {
sptr++;
}
- len = (ptrdiff_t) (sptr - loc);
+ len = (ptrdiff_t)(sptr - loc);
location = strncpy(location, loc, len);
location[len] = '\0';
#if defined(sun) && defined(__SVR4)
/* Handle EET, MET and WET in zone_sun.tab. */
if (!strcmp(location, "Europe/")) {
- while (*sptr != '\t') {
+ while ((*sptr != '\t') && (*sptr != '\0')) {
sptr++;
}
loc = ++sptr;
- while (!isspace(*sptr)) {
+ while (!isspace(*sptr) && (*sptr != '\0')) {
sptr++;
}
- len = sptr - loc;
+ len = (ptrdiff_t)(sptr - loc);
location = strncpy(location, loc, len);
location[len] = '\0';
}
Only in libical-2.0.0/src/libical: icaltimezone.c.orig