d7c16d7fbb
- Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string to a local string (CVE-2022-0530, bsc#1196177) * CVE-2022-0530.patch - Fix CVE-2022-0529, Heap out-of-bound writes and reads during conversion of wide string to local string (CVE-2022-0529, bsc#1196180) * CVE-2022-0529.patch OBS-URL: https://build.opensuse.org/request/show/1005199 OBS-URL: https://build.opensuse.org/package/show/Archiving/unzip?expand=0&rev=58
38 lines
1.1 KiB
Diff
38 lines
1.1 KiB
Diff
From: Enrico Zini <enrico@debian.org>
|
|
Subject: Fix wide string conversion
|
|
Bug-Debian: https://bugs.debian.org/1010355
|
|
X-Debian-version: 6.0-27
|
|
|
|
--- a/process.c
|
|
+++ b/process.c
|
|
@@ -2507,13 +2507,15 @@
|
|
char buf[9];
|
|
char *buffer = NULL;
|
|
char *local_string = NULL;
|
|
+ size_t buffer_size;
|
|
|
|
for (wsize = 0; wide_string[wsize]; wsize++) ;
|
|
|
|
if (max_bytes < MAX_ESCAPE_BYTES)
|
|
max_bytes = MAX_ESCAPE_BYTES;
|
|
|
|
- if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
|
|
+ buffer_size = wsize * max_bytes + 1;
|
|
+ if ((buffer = (char *)malloc(buffer_size)) == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
@@ -2552,7 +2554,11 @@
|
|
/* no MB for this wide */
|
|
/* use escape for wide character */
|
|
char *escape_string = wide_to_escape_string(wide_string[i]);
|
|
- strcat(buffer, escape_string);
|
|
+ size_t buffer_len = strlen(buffer);
|
|
+ size_t escape_string_len = strlen(escape_string);
|
|
+ if (buffer_len + escape_string_len + 1 > buffer_size)
|
|
+ escape_string_len = buffer_size - buffer_len - 1;
|
|
+ strncat(buffer, escape_string, escape_string_len);
|
|
free(escape_string);
|
|
}
|
|
}
|