Date: Mon, 25 Jul 2016 14:52:12 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r303300 - stable/11/usr.bin/bsdiff/bspatch Message-ID: <201607251452.u6PEqC4t054008@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Mon Jul 25 14:52:12 2016 New Revision: 303300 URL: https://svnweb.freebsd.org/changeset/base/303300 Log: Fix bspatch heap overflow vulnerability. Obtained from: Chromium Reported by: Lu Tung-Pin Security: FreeBSD-SA-16:25.bspatch Approved by: re (so@ blanket) Modified: stable/11/usr.bin/bsdiff/bspatch/bspatch.c Modified: stable/11/usr.bin/bsdiff/bspatch/bspatch.c ============================================================================== --- stable/11/usr.bin/bsdiff/bspatch/bspatch.c Mon Jul 25 14:49:15 2016 (r303299) +++ stable/11/usr.bin/bsdiff/bspatch/bspatch.c Mon Jul 25 14:52:12 2016 (r303300) @@ -164,6 +164,10 @@ int main(int argc,char * argv[]) } /* Sanity-check */ + if ((ctrl[0] < 0) || (ctrl[1] < 0)) + errx(1,"Corrupt patch\n"); + + /* Sanity-check */ if(newpos+ctrl[0]>newsize) errx(1,"Corrupt patch\n");
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201607251452.u6PEqC4t054008>