forked from pool/libredwg
Accepting request 628364 from devel:libraries:c_c++
- CVE-2018-14524: double free (boo#1102702) - CVE-2018-14471: NULL pointer dereference DoS (boo#1102696) (forwarded request 628363 from AndreasStieger) OBS-URL: https://build.opensuse.org/request/show/628364 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libredwg?expand=0&rev=3
This commit is contained in:
Dominique Leuenberger
Git OBS Bridge
commit
6126df1498
29
CVE-2018-14471.patch
Normal file
29
CVE-2018-14471.patch
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
From 7bb6307da56c753b962de127a43ebde3e621ecbb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Reini Urban <rurban@cpan.org>
|
||||||
|
Date: Fri, 20 Jul 2018 22:29:51 +0200
|
||||||
|
Subject: [PATCH] protect dwg_obj_block_control_get_block_headers
|
||||||
|
|
||||||
|
from empty ctrl->block_headers. Fixes [GH #32]
|
||||||
|
---
|
||||||
|
src/dwg_api.c | 8 +++++++-
|
||||||
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/dwg_api.c b/src/dwg_api.c
|
||||||
|
index f44f6207..82776188 100644
|
||||||
|
--- a/src/dwg_api.c
|
||||||
|
+++ b/src/dwg_api.c
|
||||||
|
@@ -17888,7 +17888,13 @@ dwg_obj_block_control_get_block_headers(const dwg_obj_block_control *restrict ct
|
||||||
|
{
|
||||||
|
dwg_object_ref **ptx = (dwg_object_ref**)
|
||||||
|
malloc(ctrl->num_entries * sizeof(Dwg_Object_Ref *));
|
||||||
|
- if (ptx)
|
||||||
|
+ if (ctrl->num_entries && !ctrl->block_headers)
|
||||||
|
+ {
|
||||||
|
+ *error = 1;
|
||||||
|
+ LOG_ERROR("%s: null block_headers", __FUNCTION__);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+ else if (ptx)
|
||||||
|
{
|
||||||
|
BITCODE_BS i;
|
||||||
|
*error = 0;
|
||||||
55
CVE-2018-14524.patch
Normal file
55
CVE-2018-14524.patch
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
From 9a8b9fb49108bab5d12f3353292f8fd8ea12898f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Reini Urban <rurban@cpan.org>
|
||||||
|
Date: Mon, 23 Jul 2018 15:22:08 +0200
|
||||||
|
Subject: [PATCH] free: improve eed double-free
|
||||||
|
|
||||||
|
Fixes [GH #33], detected by jinyu00
|
||||||
|
---
|
||||||
|
src/decode.c | 2 ++
|
||||||
|
src/free.c | 6 ++----
|
||||||
|
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/decode.c b/src/decode.c
|
||||||
|
index 74668403..fb09f11a 100644
|
||||||
|
--- a/src/decode.c
|
||||||
|
+++ b/src/decode.c
|
||||||
|
@@ -2309,6 +2309,7 @@ dwg_decode_eed(Bit_Chain * dat, Dwg_Object_Object * obj)
|
||||||
|
LOG_ERROR("No EED[%d].handle", idx);
|
||||||
|
obj->num_eed = 0;
|
||||||
|
free(obj->eed);
|
||||||
|
+ obj->eed = NULL;
|
||||||
|
return error;
|
||||||
|
} else {
|
||||||
|
end = dat->byte + size;
|
||||||
|
@@ -2372,6 +2373,7 @@ dwg_decode_eed(Bit_Chain * dat, Dwg_Object_Object * obj)
|
||||||
|
free(obj->eed[idx].raw);
|
||||||
|
free(obj->eed[idx].data);
|
||||||
|
free(obj->eed);
|
||||||
|
+ obj->eed = NULL;
|
||||||
|
dat->byte = end;
|
||||||
|
return DWG_ERR_VALUEOUTOFBOUNDS; /* may not continue */
|
||||||
|
#endif
|
||||||
|
diff --git a/src/free.c b/src/free.c
|
||||||
|
index ce6940e7..65fb3f9e 100644
|
||||||
|
--- a/src/free.c
|
||||||
|
+++ b/src/free.c
|
||||||
|
@@ -267,8 +267,7 @@ dwg_free_eed(Dwg_Object* obj)
|
||||||
|
for (i=0; i < _obj->num_eed; i++) {
|
||||||
|
if (_obj->eed[i].size)
|
||||||
|
FREE_IF(_obj->eed[i].raw);
|
||||||
|
- if (_obj->eed[i].data)
|
||||||
|
- FREE_IF(_obj->eed[i].data);
|
||||||
|
+ FREE_IF(_obj->eed[i].data);
|
||||||
|
}
|
||||||
|
FREE_IF(_obj->eed);
|
||||||
|
}
|
||||||
|
@@ -277,8 +276,7 @@ dwg_free_eed(Dwg_Object* obj)
|
||||||
|
for (i=0; i < _obj->num_eed; i++) {
|
||||||
|
if (_obj->eed[i].size)
|
||||||
|
FREE_IF(_obj->eed[i].raw);
|
||||||
|
- if (_obj->eed[i].data)
|
||||||
|
- FREE_IF(_obj->eed[i].data);
|
||||||
|
+ FREE_IF(_obj->eed[i].data);
|
||||||
|
}
|
||||||
|
FREE_IF(_obj->eed);
|
||||||
|
}
|
||||||
@ -1,3 +1,11 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Aug 9 09:34:20 UTC 2018 - astieger@suse.com
|
||||||
|
|
||||||
|
- CVE-2018-14524: double free (boo#1102702)
|
||||||
|
add CVE-2018-14524.patch
|
||||||
|
- CVE-2018-14471: NULL pointer dereference DoS (boo#1102696)
|
||||||
|
add CVE-2018-14471.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sat Jul 14 10:00:58 UTC 2018 - jengelh@inai.de
|
Sat Jul 14 10:00:58 UTC 2018 - jengelh@inai.de
|
||||||
|
|
||||||
|
|||||||
@ -27,6 +27,8 @@ Source: https://ftp.gnu.org/pub/gnu/%{name}/%{name}-%{version}.tar.xz
|
|||||||
Source2: https://ftp.gnu.org/pub/gnu/%{name}/%{name}-%{version}.tar.xz.sig
|
Source2: https://ftp.gnu.org/pub/gnu/%{name}/%{name}-%{version}.tar.xz.sig
|
||||||
Source3: http://savannah.gnu.org/people/viewgpg.php?user_id=101103#/%{name}.keyring
|
Source3: http://savannah.gnu.org/people/viewgpg.php?user_id=101103#/%{name}.keyring
|
||||||
Source4: %{name}-rpmlintrc
|
Source4: %{name}-rpmlintrc
|
||||||
|
Patch0: CVE-2018-14471.patch
|
||||||
|
Patch1: CVE-2018-14524.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
GNU LibreDWG is a C library to handle DWG files. It can replace the
|
GNU LibreDWG is a C library to handle DWG files. It can replace the
|
||||||
@ -67,6 +69,8 @@ OpenDWG libraries. DWG is the native file format of AutoCAD.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch0 -p1
|
||||||
|
%patch1 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure \
|
%configure \
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user