Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 178655 Details for
Bug 249214
dev-libs/glib <2.16.6-r1 g_base64_encode heap-based buffer overflow (CVE-2008-4316)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
glib2-CVE-2008-4316.patch
glib2-CVE-2008-4316.patch (text/plain), 2.63 KB, created by
Robert Buchholz (RETIRED)
on 2009-01-16 01:33:31 UTC
(
hide
)
Description:
glib2-CVE-2008-4316.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2009-01-16 01:33:31 UTC
Size:
2.63 KB
patch
obsolete
>--- glib/gbase64.c.orig 2008-12-04 12:07:21.000000000 +0100 >+++ glib/gbase64.c 2009-01-12 14:08:31.000000000 +0100 >@@ -54,8 +54,9 @@ static const char base64_alphabet[] = > * > * The output buffer must be large enough to fit all the data that will > * be written to it. Due to the way base64 encodes you will need >- * at least: @len * 4 / 3 + 6 bytes. If you enable line-breaking you will >- * need at least: @len * 4 / 3 + @len * 4 / (3 * 72) + 7 bytes. >+ * at least: (@len / 3 + 1) * 4 + 4 bytes (+ 4 may be needed in case of >+ * non-zero state). If you enable line-breaking you will need at least: >+ * ((@len / 3 + 1) * 4 + 4) / 72 + 1 bytes of extra space. > * > * @break_lines is typically used when putting base64-encoded data in emails. > * It breaks the lines at 72 columns instead of putting all of the text on >@@ -233,8 +234,14 @@ g_base64_encode (const guchar *data, > g_return_val_if_fail (data != NULL, NULL); > g_return_val_if_fail (len > 0, NULL); > >- /* We can use a smaller limit here, since we know the saved state is 0 */ >- out = g_malloc (len * 4 / 3 + 4); >+ /* We can use a smaller limit here, since we know the saved state is 0, >+ +1 is needed for trailing \0, also check for unlikely integer overflow */ >+ if (len >= ((G_MAXSIZE - 1) / 4 - 1) * 3) >+ g_error("%s: input too large for Base64 encoding (%"G_GSIZE_FORMAT" chars)", >+ G_STRLOC, len); >+ >+ out = g_malloc ((len / 3 + 1) * 4 + 1); >+ > outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save); > outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save); > out[outlen] = '\0'; >@@ -275,7 +282,8 @@ static const unsigned char mime_base64_r > * > * The output buffer must be large enough to fit all the data that will > * be written to it. Since base64 encodes 3 bytes in 4 chars you need >- * at least: @len * 3 / 4 bytes. >+ * at least: (@len / 4) * 3 + 3 bytes (+ 3 may be needed in case of non-zero >+ * state). > * > * Return value: The number of bytes of output that was written > * >@@ -358,7 +366,8 @@ g_base64_decode (const gchar *text, > gsize *out_len) > { > guchar *ret; >- gint input_length, state = 0; >+ gsize input_length; >+ gint state = 0; > guint save = 0; > > g_return_val_if_fail (text != NULL, NULL); >@@ -368,7 +377,9 @@ g_base64_decode (const gchar *text, > > g_return_val_if_fail (input_length > 1, NULL); > >- ret = g_malloc0 (input_length * 3 / 4); >+ /* We can use a smaller limit here, since we know the saved state is 0, >+ +1 used to avoid calling g_malloc0(0), and hence retruning NULL */ >+ ret = g_malloc0 ((input_length / 4) * 3 + 1); > > *out_len = g_base64_decode_step (text, input_length, ret, &state, &save); >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=178655">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 249214
: 178655 |
183385
