mirror of
https://github.com/novatiq/packages.git
synced 2026-04-30 07:28:39 +01:00
Josef Schlehofer
44 lines
1.4 KiB
Diff
44 lines
1.4 KiB
Diff
From 692d5c5215de0db482c252492a92fc424cc6a97c Mon Sep 17 00:00:00 2001
|
|
From: Tim Ruehsen <tim.ruehsen@gmx.de>
|
|
Date: Fri, 5 Apr 2019 11:50:44 +0200
|
|
Subject: Fix a buffer overflow vulnerability
|
|
|
|
* src/iri.c(do_conversion): Reallocate the output buffer to a larger
|
|
size if it is already full
|
|
---
|
|
src/iri.c | 12 +++++++++---
|
|
1 file changed, 9 insertions(+), 3 deletions(-)
|
|
|
|
--- a/src/iri.c
|
|
+++ b/src/iri.c
|
|
@@ -151,8 +151,11 @@ do_conversion (const char *tocode, const
|
|
*out = s = xmalloc (outlen + 1);
|
|
done = 0;
|
|
|
|
+ DEBUGP (("iconv %s -> %s\n", tocode, fromcode));
|
|
+
|
|
for (;;)
|
|
{
|
|
+ DEBUGP (("iconv outlen=%d inlen=%d\n", outlen, inlen));
|
|
if (iconv (cd, (ICONV_CONST char **) &in, &inlen, out, &outlen) != (size_t)(-1) &&
|
|
iconv (cd, NULL, NULL, out, &outlen) != (size_t)(-1))
|
|
{
|
|
@@ -187,11 +190,14 @@ do_conversion (const char *tocode, const
|
|
}
|
|
else if (errno == E2BIG) /* Output buffer full */
|
|
{
|
|
+ logprintf (LOG_VERBOSE,
|
|
+ _("Reallocate output buffer len=%d outlen=%d inlen=%d\n"), len, outlen, inlen);
|
|
tooshort++;
|
|
done = len;
|
|
- len = outlen = done + inlen * 2;
|
|
- s = xrealloc (s, outlen + 1);
|
|
- *out = s + done;
|
|
+ len = done + inlen * 2;
|
|
+ s = xrealloc (s, len + 1);
|
|
+ *out = s + done - outlen;
|
|
+ outlen += inlen * 2;
|
|
}
|
|
else /* Weird, we got an unspecified error */
|
|
{
|