Date: Tue, 8 Mar 2016 21:15:16 +0000 (UTC) From: Jan Beich <jbeich@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r410664 - in head: archivers/brotli archivers/brotli/files devel/libbrotli devel/libbrotli/files Message-ID: <201603082115.u28LFGZr026889@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jbeich Date: Tue Mar 8 21:15:16 2016 New Revision: 410664 URL: https://svnweb.freebsd.org/changeset/ports/410664 Log: archivers/brotli, devel/libbrotli: fix buffer overflow Obtained from: upstream Security: 1bcfd963-e483-41b8-ab8e-bad5c3ce49c9 MFH: 2016Q1 Added: head/archivers/brotli/files/ head/archivers/brotli/files/patch-CVE-2016-1624 (contents, props changed) head/devel/libbrotli/files/patch-CVE-2016-1624 (contents, props changed) Modified: head/archivers/brotli/Makefile (contents, props changed) head/devel/libbrotli/Makefile (contents, props changed) Modified: head/archivers/brotli/Makefile ============================================================================== --- head/archivers/brotli/Makefile Tue Mar 8 21:09:18 2016 (r410663) +++ head/archivers/brotli/Makefile Tue Mar 8 21:15:16 2016 (r410664) @@ -4,6 +4,7 @@ PORTNAME= brotli PORTVERSION= 0.3.0 DISTVERSIONPREFIX= v +PORTREVISION= 1 CATEGORIES= archivers MAINTAINER= sunpoet@FreeBSD.org Added: head/archivers/brotli/files/patch-CVE-2016-1624 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/archivers/brotli/files/patch-CVE-2016-1624 Tue Mar 8 21:15:16 2016 (r410664) @@ -0,0 +1,24 @@ +From 37a320dd81db8d546cd24a45b4c61d87b45dcade Mon Sep 17 00:00:00 2001 +From: eustas <eustas.ru@gmail.com> +Date: Thu, 4 Feb 2016 15:35:44 +0100 +Subject: [PATCH] Fix possible pointer underflow + +--- + dec/decode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dec/decode.c b/dec/decode.c +index 920959c..892a254 100644 +--- dec/decode.c ++++ dec/decode.c +@@ -1714,6 +1714,10 @@ static BROTLI_INLINE BrotliResult ProcessCommandsInternal(int safe, + } else { + const uint8_t *ringbuffer_end_minus_copy_length = + s->ringbuffer_end - i; ++ /* Check for possible underflow and clamp the pointer to 0. */ ++ if (PREDICT_FALSE(s->ringbuffer_end < (const uint8_t*)0 + i)) { ++ ringbuffer_end_minus_copy_length = 0; ++ } + uint8_t* copy_src = &s->ringbuffer[ + (pos - s->distance_code) & s->ringbuffer_mask]; + uint8_t* copy_dst = &s->ringbuffer[pos]; Modified: head/devel/libbrotli/Makefile ============================================================================== --- head/devel/libbrotli/Makefile Tue Mar 8 21:09:18 2016 (r410663) +++ head/devel/libbrotli/Makefile Tue Mar 8 21:15:16 2016 (r410664) @@ -3,7 +3,7 @@ PORTNAME= libbrotli PORTVERSION= ${BROTLI_VERSION} -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= devel archivers MAINTAINER= osa@FreeBSD.org @@ -24,8 +24,10 @@ GNU_CONFIGURE= yes MAKE_JOBS_UNSAFE= yes USE_LDCONFIG= yes -pre-configure: +post-extract: ${RMDIR} ${WRKSRC}/brotli && ${MV} ${WRKDIR}/brotli-${BROTLI_VERSION} ${WRKSRC}/brotli + +pre-configure: cd ${WRKSRC} && ./autogen.sh .include <bsd.port.mk> Added: head/devel/libbrotli/files/patch-CVE-2016-1624 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/devel/libbrotli/files/patch-CVE-2016-1624 Tue Mar 8 21:15:16 2016 (r410664) @@ -0,0 +1,24 @@ +From 37a320dd81db8d546cd24a45b4c61d87b45dcade Mon Sep 17 00:00:00 2001 +From: eustas <eustas.ru@gmail.com> +Date: Thu, 4 Feb 2016 15:35:44 +0100 +Subject: [PATCH] Fix possible pointer underflow + +--- + dec/decode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/dec/decode.c b/dec/decode.c +index 920959c..892a254 100644 +--- brotli/dec/decode.c ++++ brotli/dec/decode.c +@@ -1714,6 +1714,10 @@ static BROTLI_INLINE BrotliResult ProcessCommandsInternal(int safe, + } else { + const uint8_t *ringbuffer_end_minus_copy_length = + s->ringbuffer_end - i; ++ /* Check for possible underflow and clamp the pointer to 0. */ ++ if (PREDICT_FALSE(s->ringbuffer_end < (const uint8_t*)0 + i)) { ++ ringbuffer_end_minus_copy_length = 0; ++ } + uint8_t* copy_src = &s->ringbuffer[ + (pos - s->distance_code) & s->ringbuffer_mask]; + uint8_t* copy_dst = &s->ringbuffer[pos];
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201603082115.u28LFGZr026889>