git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
file
1
0
Fork 0
Files Pull Requests 0 Wiki
Tree: 929e8f7daa
Branches Tags
file
/
debian
/
patches
/
CVE-2014-3479.patch

CVE-2014-3479.patch 1.2 KB
History Raw

12345678910111213141516171819202122232425262728293031323334 
  1. Subject: The cdf_check_stream_offset function in relies on incorrect sector-size
    2. 

  2. ID: CVE-2014-3479
    3. 

  3. Author: Christos Zoulas <christos@zoulas.com>
    4. 

  4. Date: Wed Jun 4 17:26:07 2014 +0000
    5. 

  5. Origin:
    6. 

  6.     commit 36fadd29849b8087af9f4586f89dbf74ea45be67
    7. 

  7. Debian-Author: Holger Levsen <holger@debian.org>
    8. 

  8. Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
    9. 

  9. Last-Update: 2014-09-07
    10. 

  10. 

  11.     Use the proper sector size when checking stream offsets (Francisco Alonso and
    12. 

  12.     Jan Kaluza at RedHat)
    13. 

  13. 

  14. --- a/src/cdf.c
    15. 

  15. +++ b/src/cdf.c
    16. 

  16. @@ -267,13 +267,15 @@
    17. 

  17.  {
    18. 

  18.  	const char *b = (const char *)sst->sst_tab;
    19. 

  19.  	const char *e = ((const char *)p) + tail;
    20. 

  20. +	size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ?
    21. 

  21. +	    CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h);
    22. 

  22.  	(void)&line;
    23. 

  23. -	if (e >= b && (size_t)(e - b) < CDF_SEC_SIZE(h) * sst->sst_len)
    24. 

  24. +	if (e >= b && (size_t)(e - b) <= ss * sst->sst_len)
    25. 

  25.  		return 0;
    26. 

  26.  	DPRINTF(("%d: offset begin %p end %p %" SIZE_T_FORMAT "u"
    27. 

  27. -	    " >= %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %"
    28. 

  28. +	    " > %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %"
    29. 

  29.  	    SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b),
    30. 

  30. -	    CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len));
    31. 

  31. +	    ss * sst->sst_len, ss, sst->sst_len));
    32. 

  32.  	errno = EFTYPE;
    33. 

  33.  	return -1;
    34. 

  34.  }
    35.