Date: Mon, 25 Jul 2016 14:53:04 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r303301 - in stable: 10/usr.bin/bsdiff/bspatch 9/usr.bin/bsdiff/bspatch Message-ID: <201607251453.u6PEr4VJ054245@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Mon Jul 25 14:53:04 2016 New Revision: 303301 URL: https://svnweb.freebsd.org/changeset/base/303301 Log: Fix bspatch heap overflow vulnerability. Obtained from: Chromium Reported by: Lu Tung-Pin Security: FreeBSD-SA-16:25.bspatch Modified: stable/10/usr.bin/bsdiff/bspatch/bspatch.c Changes in other areas also in this revision: Modified: stable/9/usr.bin/bsdiff/bspatch/bspatch.c Modified: stable/10/usr.bin/bsdiff/bspatch/bspatch.c ============================================================================== --- stable/10/usr.bin/bsdiff/bspatch/bspatch.c Mon Jul 25 14:52:12 2016 (r303300) +++ stable/10/usr.bin/bsdiff/bspatch/bspatch.c Mon Jul 25 14:53:04 2016 (r303301) @@ -155,6 +155,10 @@ int main(int argc,char * argv[]) }; /* Sanity-check */ + if ((ctrl[0] < 0) || (ctrl[1] < 0)) + errx(1,"Corrupt patch\n"); + + /* Sanity-check */ if(newpos+ctrl[0]>newsize) errx(1,"Corrupt patch\n");
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201607251453.u6PEr4VJ054245>