db41b7577d
Upstream has a few more CVEs but didn't make a new release yet. In the meantime we patch what we can Fixes: - CVE-2017-8842 - CVE-2017-8844 - CVE-2017-8845 - CVE-2018-5650 The CVEs left remaining to be fixed by upstream are ( Removed CVE- prefix as to not confuse tools that grep for those values) CVE: 2017-8843 SEVERITY: 4.3 CVE: 2017-8846 SEVERITY: 4.3 CVE: 2017-8847 SEVERITY: 4.3 CVE: 2017-9928 SEVERITY: 4.3 CVE: 2017-9929 SEVERITY: 4.3 CVE: 2018-11496 SEVERITY: 4.3 CVE: 2018-5747 SEVERITY: 4.3
35 lines
1.4 KiB
Diff
35 lines
1.4 KiB
Diff
From dc57230636fe8da068674e1023b2f07c593ec21b Mon Sep 17 00:00:00 2001
|
|
From: Con Kolivas <kernel@kolivas.org>
|
|
Date: Wed, 16 May 2018 14:30:15 +1000
|
|
Subject: [PATCH] Cope with compressed length being longer than uncompressed
|
|
and rounding up, attending to CVE-2017-8844.
|
|
|
|
---
|
|
stream.c | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/stream.c b/stream.c
|
|
index 4ef910e..01b883a 100644
|
|
--- a/stream.c
|
|
+++ b/stream.c
|
|
@@ -1564,7 +1564,7 @@ static void *ucompthread(void *data)
|
|
/* fill a buffer from a stream - return -1 on failure */
|
|
static int fill_buffer(rzip_control *control, struct stream_info *sinfo, int streamno)
|
|
{
|
|
- i64 u_len, c_len, last_head, padded_len, header_length;
|
|
+ i64 u_len, c_len, last_head, padded_len, header_length, max_len;
|
|
uchar enc_head[25 + SALT_LEN], blocksalt[SALT_LEN];
|
|
struct stream *s = &sinfo->s[streamno];
|
|
stream_thread_struct *st;
|
|
@@ -1639,7 +1639,9 @@ static int fill_buffer(rzip_control *control, struct stream_info *sinfo, int str
|
|
|
|
if (unlikely(u_len > control->maxram))
|
|
fatal_return(("Unable to malloc buffer of size %lld in this environment\n", u_len), -1);
|
|
- s_buf = malloc(MAX(u_len, MIN_SIZE));
|
|
+ max_len = MAX(u_len, MIN_SIZE);
|
|
+ max_len = MAX(max_len, c_len);
|
|
+ s_buf = malloc(max_len);
|
|
if (unlikely(u_len && !s_buf))
|
|
fatal_return(("Unable to malloc buffer of size %lld in fill_buffer\n", u_len), -1);
|
|
sinfo->ram_alloced += u_len;
|
|
|