calculate
/
gentoo-overlay
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3db3047957'
${ noResults }
gentoo-overlay/net-libs/openslp/files/openslp-2.0.0-CVE-2012-4428...

52 lines
1.7 KiB
Raw Blame History

Description: Fix out-of-bounds buffer access (CVE-2012-4428)
Fix handling of string-list in common/slp_common.c by not increasing
the item pointer past the string-list pointer, and letting '\\' only
escape the item separator ','.
Author: Guillem Jover <guillem@debian.org>
Origin: vendor
Bug: http://sourceforge.net/p/openslp/bugs/122/
Bug-Debian: https://bugs.debian.org/687597
Last-Update: 2014-07-25
Strangely nobody seems to have fixed this in openslp-2.0.0 ever.
Patch forward-ported; one chunk isn't needed anymore as the code has been
independently rewritten. Andreas K. Hüttel <dilfridge@gentoo.org>
diff -ruN openslp-2.0.0.orig/common/slp_compare.c openslp-2.0.0/common/slp_compare.c
--- openslp-2.0.0.orig/common/slp_compare.c 2012-12-12 20:12:43.000000000 +0100
+++ openslp-2.0.0/common/slp_compare.c 2017-02-18 19:59:55.296473698 +0100
@@ -587,13 +587,10 @@
/* seek to the end of the next list item */
while(1)
{
- if(itemend == listend || *itemend == ',')
- {
- if(*(itemend - 1) != '\\')
- {
- break;
- }
- }
+ if(itemend == listend)
+ break;
+ if(*itemend == ',' && *(itemend - 1) != '\\')
+ break;
itemend++;
}
@@ -683,9 +680,10 @@
/* seek to the end of the next list item */
while (1)
{
- if (itemend == listend || *itemend == ',')
- if (*(itemend - 1) != '\\')
- break;
+ if(itemend == listend)
+ break;
+ if(*itemend == ',' && *(itemend - 1) != '\\')
+ break;
itemend++;
}
Reference in new issue View Git Blame Copy Permalink