Date: Mon, 25 Jul 2016 14:45:48 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r303298 - head/usr.bin/bsdiff/bspatch Message-ID: <201607251445.u6PEjmOp050343@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Mon Jul 25 14:45:48 2016 New Revision: 303298 URL: https://svnweb.freebsd.org/changeset/base/303298 Log: Fix bspatch heap overflow vulnerability. Obtained from: Chromium Reported by: Lu Tung-Pin Security: FreeBSD-SA-16:25.bspatch Modified: head/usr.bin/bsdiff/bspatch/bspatch.c Modified: head/usr.bin/bsdiff/bspatch/bspatch.c ============================================================================== --- head/usr.bin/bsdiff/bspatch/bspatch.c Mon Jul 25 14:36:55 2016 (r303297) +++ head/usr.bin/bsdiff/bspatch/bspatch.c Mon Jul 25 14:45:48 2016 (r303298) @@ -164,6 +164,10 @@ int main(int argc,char * argv[]) } /* Sanity-check */ + if ((ctrl[0] < 0) || (ctrl[1] < 0)) + errx(1,"Corrupt patch\n"); + + /* Sanity-check */ if(newpos+ctrl[0]>newsize) errx(1,"Corrupt patch\n");
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201607251445.u6PEjmOp050343>