d-two/operating-system
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update Buildroot 2019.02.8

Browse Source
This commit is contained in:
Pascal Vizeli
2020-01-11 16:41:13 +00:00
parent 1b08cb5d04
commit 0291dfaa64
630 changed files with 8470 additions and 3892 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
buildroot/package/file/0001-Detect-multiplication-overflow-when-computing-sector.patch Normal file
View File

@@ -0,0 +1,68 @@
From 06de62c022138f63de9bcd04074491945eaa8662 Mon Sep 17 00:00:00 2001
From: Christos Zoulas <christos@zoulas.com>
Date: Fri, 23 Aug 2019 14:29:14 +0000
Subject: [PATCH] Detect multiplication overflow when computing sector position
(found by oss-fuzz)
Fixes CVE-2019-18218
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
src/cdf.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/src/cdf.c b/src/cdf.c
index 556a3ff8..9d639674 100644
--- a/src/cdf.c
+++ b/src/cdf.c
@@ -35,7 +35,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:27 christos Exp $")
+FILE_RCSID("@(#)$File: cdf.c,v 1.115 2019/08/23 14:29:14 christos Exp $")
#endif
#include <assert.h>
@@ -53,6 +53,10 @@ FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:27 christos Exp $")
#define EFTYPE EINVAL
#endif
+#ifndef SIZE_T_MAX
+#define SIZE_T_MAX CAST(size_t, ~0ULL)
+#endif
+
#include "cdf.h"
#ifdef CDF_DEBUG
@@ -405,7 +409,12 @@ cdf_read_sector(const cdf_info_t *info, void *buf, size_t offs, size_t len,
const cdf_header_t *h, cdf_secid_t id)
{
size_t ss = CDF_SEC_SIZE(h);
- size_t pos = CDF_SEC_POS(h, id);
+ size_t pos;
+
+ if (SIZE_T_MAX / ss < CAST(size_t, id))
+ return -1;
+
+ pos = CDF_SEC_POS(h, id);
assert(ss == len);
return cdf_read(info, CAST(off_t, pos), RCAST(char *, buf) + offs, len);
}
@@ -415,7 +424,12 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
size_t len, const cdf_header_t *h, cdf_secid_t id)
{
size_t ss = CDF_SHORT_SEC_SIZE(h);
- size_t pos = CDF_SHORT_SEC_POS(h, id);
+ size_t pos;
+
+ if (SIZE_T_MAX / ss < CAST(size_t, id))
+ return -1;
+
+ pos = CDF_SHORT_SEC_POS(h, id);
assert(ss == len);
if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
--
2.20.1