mirror of
https://git.yoctoproject.org/poky
synced 2026-07-16 15:57:04 +00:00
06d9c89463
CVE-2016-2090 Heap buffer overflow in fgetwln function of libbsd affects libbsd <= 0.8.1 (and therefore not needed in master) (From OE-Core rev: ab29efb8e85020a3621079c7fde217c1bfaa5289) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
51 lines
1.4 KiB
Diff
51 lines
1.4 KiB
Diff
From c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 Mon Sep 17 00:00:00 2001
|
|
From: Hanno Boeck <hanno@hboeck.de>
|
|
Date: Wed, 27 Jan 2016 15:10:11 +0100
|
|
Subject: [PATCH] Fix heap buffer overflow in fgetwln()
|
|
|
|
In the function fgetwln() there's a 4 byte heap overflow.
|
|
|
|
There is a while loop that has this check to see whether there's still
|
|
enough space in the buffer:
|
|
|
|
if (!fb->len || wused > fb->len) {
|
|
|
|
If this is true more memory gets allocated. However this test won't be
|
|
true if wused == fb->len, but at that point wused already points out
|
|
of the buffer. Some lines later there's a write to the buffer:
|
|
|
|
fb->wbuf[wused++] = wc;
|
|
|
|
This bug was found with the help of address sanitizer.
|
|
|
|
Warned-by: ASAN
|
|
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881
|
|
Signed-off-by: Guillem Jover <guillem@hadrons.org>
|
|
|
|
Upstream-Status: Backport
|
|
http://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7
|
|
|
|
CVE: CVE-2016-2090
|
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
|
|
---
|
|
src/fgetwln.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/fgetwln.c b/src/fgetwln.c
|
|
index 9ee0776..aa3f927 100644
|
|
--- a/src/fgetwln.c
|
|
+++ b/src/fgetwln.c
|
|
@@ -60,7 +60,7 @@ fgetwln(FILE *stream, size_t *lenp)
|
|
fb->fp = stream;
|
|
|
|
while ((wc = fgetwc(stream)) != WEOF) {
|
|
- if (!fb->len || wused > fb->len) {
|
|
+ if (!fb->len || wused >= fb->len) {
|
|
wchar_t *wp;
|
|
|
|
if (fb->len)
|
|
--
|
|
2.3.5
|
|
|