aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-support/libbsd/files/CVE-2016-2090.patch
blob: 2eaae1386dceede505dd32603c1a5a1d772cd226 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
From c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 Mon Sep 17 00:00:00 2001
From: Hanno Boeck <hanno@hboeck.de>
Date: Wed, 27 Jan 2016 15:10:11 +0100
Subject: [PATCH] Fix heap buffer overflow in fgetwln()

In the function fgetwln() there's a 4 byte heap overflow.

There is a while loop that has this check to see whether there's still
enough space in the buffer:

		if (!fb->len || wused > fb->len) {

If this is true more memory gets allocated. However this test won't be
true if wused == fb->len, but at that point wused already points out
of the buffer. Some lines later there's a write to the buffer:

		fb->wbuf[wused++] = wc;

This bug was found with the help of address sanitizer.

Warned-by: ASAN
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881
Signed-off-by: Guillem Jover <guillem@hadrons.org>

Upstream-Status: Backport
http://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7

CVE: CVE-2016-2090
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 src/fgetwln.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/fgetwln.c b/src/fgetwln.c
index 9ee0776..aa3f927 100644
--- a/src/fgetwln.c
+++ b/src/fgetwln.c
@@ -60,7 +60,7 @@ fgetwln(FILE *stream, size_t *lenp)
 	fb->fp = stream;
 
 	while ((wc = fgetwc(stream)) != WEOF) {
-		if (!fb->len || wused > fb->len) {
+		if (!fb->len || wused >= fb->len) {
 			wchar_t *wp;
 
 			if (fb->len)
-- 
2.3.5