rpm/libical
SHA256
1
0
Fork 0
forked from pool/libical
Code Pull Requests Activity
d2fbb3222f
libical/libical-parser-sanity-check.patch
Michal Vyskocil d2fbb3222f Accepting request 505726 from home:mgorse:branches:devel:libraries:c_c++ 
- Add fixes for various crashes:
  libical-boo986631-read-past-end.patch
  libical-boo986631-check-prev-char.patch
  libical-parser-sanity-check.patch
  libical-timezone-use-after-free.patch
  libical-boo1015964-use-after-free.patch
  Fixes boo#986631 (CVE-2016-5827), boo#986639 (CVE-2016-5824),
  boo#1015964 (CVE-2016-9584), and boo#1044995.

OBS-URL: https://build.opensuse.org/request/show/505726
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libical?expand=0&rev=43
2017-06-26 06:09:35 +00:00

101 lines
4.2 KiB
Diff
Raw Blame History

From 53e68ff6e2133c54ff44df53e8b75ef21125fb3d Mon Sep 17 00:00:00 2001
From: Ken Murchison <murch@andrew.cmu.edu>
Date: Tue, 13 Dec 2016 16:22:42 -0500
Subject: [PATCH] icalparser.c: sanity check VALUE parameter against what is
allowed
Backported by Mike Gorse <mgorse@suse.com>
---
src/libical/icalparser.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 67 insertions(+), 2 deletions(-)
diff --git a/src/libical/icalparser.c b/src/libical/icalparser.c
index 998bc96d..62e3a401 100644
--- a/src/libical/icalparser.c
+++ b/src/libical/icalparser.c
@@ -1023,6 +1023,12 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line)
/* If it is a VALUE parameter, set the kind of value */
if (icalparameter_isa(param) == ICAL_VALUE_PARAMETER) {
+ const char unknown_type[] =
+ "Got a VALUE parameter with an unknown type";
+ const char illegal_type[] =
+ "Got a VALUE parameter with an illegal type for property";
+ const char *value_err = NULL;
+
value_kind =
(icalvalue_kind)icalparameter_value_to_value_kind(
icalparameter_get_value(param));
@@ -1033,8 +1039,66 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line)
parameter ( it was not one of the defined
values ), so reset the value_kind */
- insert_error(tail, str,
- "Got a VALUE parameter with an unknown type",
+ value_err = unknown_type;
+ }
+ else if (value_kind !=
+ icalproperty_kind_to_value_kind(icalproperty_isa(prop))) {
+ /* VALUE parameter type does not match default type
+ for this property (check for allowed alternate types) */
+
+ switch (prop_kind) {
+ case ICAL_ATTACH_PROPERTY:
+ /* Accept BINARY */
+ if (value_kind != ICAL_BINARY_VALUE)
+ value_err = illegal_type;
+ break;
+
+ case ICAL_DTEND_PROPERTY:
+ case ICAL_DUE_PROPERTY:
+ case ICAL_DTSTART_PROPERTY:
+ case ICAL_EXDATE_PROPERTY:
+ case ICAL_RECURRENCEID_PROPERTY:
+ /* Accept DATE */
+ if (value_kind != ICAL_DATE_VALUE)
+ value_err = illegal_type;
+ break;
+
+ case ICAL_GEO_PROPERTY:
+ /* Accept FLOAT (but change to GEO) */
+ if (value_kind != ICAL_FLOAT_VALUE)
+ value_err = illegal_type;
+ else value_kind = ICAL_GEO_VALUE;
+ break;
+
+ case ICAL_RDATE_PROPERTY:
+ /* Accept DATE or PERIOD */
+ if (value_kind != ICAL_DATE_VALUE &&
+ value_kind != ICAL_PERIOD_VALUE)
+ value_err = illegal_type;
+ break;
+
+ case ICAL_TRIGGER_PROPERTY:
+ /* Accept DATE-TIME */
+ if (value_kind != ICAL_DATETIME_VALUE)
+ value_err = illegal_type;
+ break;
+
+ case ICAL_X_PROPERTY:
+ /* Accept ANY value type */
+ break;
+
+ default:
+ /* ONLY default type is allowed */
+ value_err = illegal_type;
+ break;
+ }
+ }
+
+ if (value_err != NULL) {
+ /* Ooops, unknown/illegal VALUE parameter,
+ so reset the value_kind */
+
+ insert_error(tail, str, value_err,
ICAL_XLICERRORTYPE_PARAMETERVALUEPARSEERROR);
value_kind = icalproperty_kind_to_value_kind(icalproperty_isa(prop));
--
2.12.3
View Git Blame Copy Permalink