diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 00:47:27 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 00:47:27 +0000 |
| commit | d5eb37dd4a5a433c40c3c1e7ead424add62663f8 (patch) | |
| tree | 6a18289cb463d11227d1fa4c990548e50a09d917 /debian/patches/84_12-CVE-2020-28009-Integer-overflow-in-get_stdinput.patch | |
| parent | Adding upstream version 4.92. (diff) | |
| download | exim4-d5eb37dd4a5a433c40c3c1e7ead424add62663f8.tar.xz exim4-d5eb37dd4a5a433c40c3c1e7ead424add62663f8.zip | |
Adding debian version 4.92-8+deb10u6.debian/4.92-8+deb10u6
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/84_12-CVE-2020-28009-Integer-overflow-in-get_stdinput.patch')
| -rw-r--r-- | debian/patches/84_12-CVE-2020-28009-Integer-overflow-in-get_stdinput.patch | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/debian/patches/84_12-CVE-2020-28009-Integer-overflow-in-get_stdinput.patch b/debian/patches/84_12-CVE-2020-28009-Integer-overflow-in-get_stdinput.patch new file mode 100644 index 0000000..acde64a --- /dev/null +++ b/debian/patches/84_12-CVE-2020-28009-Integer-overflow-in-get_stdinput.patch @@ -0,0 +1,61 @@ +From 2cb94a53eb9186bd405120543301e1240b895d86 Mon Sep 17 00:00:00 2001 +From: Qualys Security Advisory <qsa@qualys.com> +Date: Sun, 21 Feb 2021 21:45:19 -0800 +Subject: [PATCH 12/29] CVE-2020-28009: Integer overflow in get_stdinput() + +--- + src/string.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/src/string.c b/src/string.c +index 3445f8a42..2cdbe7c75 100644 +--- a/src/string.c ++++ b/src/string.c +@@ -1147,6 +1147,18 @@ To try to keep things reasonable, we use increments whose size depends on the + existing length of the string. */ + + unsigned inc = oldsize < 4096 ? 127 : 1023; ++ ++if (g->ptr < 0 || g->ptr > g->size || g->size >= INT_MAX/2) ++ log_write(0, LOG_MAIN|LOG_PANIC_DIE, ++ "internal error in gstring_grow (ptr %d size %d)", g->ptr, g->size); ++ ++if (count <= 0) return; ++ ++if (count >= INT_MAX/2 - g->ptr) ++ log_write(0, LOG_MAIN|LOG_PANIC_DIE, ++ "internal error in gstring_grow (ptr %d count %d)", g->ptr, count); ++ ++ + g->size = ((p + count + inc) & ~inc) + 1; + + /* Try to extend an existing allocation. If the result of calling +@@ -1194,6 +1206,10 @@ string_catn(gstring * g, const uschar *s, int count) + { + int p; + ++if (count < 0) ++ log_write(0, LOG_MAIN|LOG_PANIC_DIE, ++ "internal error in string_catn (count %d)", count); ++ + if (!g) + { + unsigned inc = count < 4096 ? 127 : 1023; +@@ -1201,8 +1217,13 @@ if (!g) + g = string_get(size); + } + ++if (g->ptr < 0 || g->ptr > g->size) ++ log_write(0, LOG_MAIN|LOG_PANIC_DIE, ++ "internal error in string_catn (ptr %d size %d)", g->ptr, g->size); ++ + p = g->ptr; +-if (p + count >= g->size) ++ ++if (count >= g->size - p) + gstring_grow(g, p, count); + + /* Because we always specify the exact number of characters to copy, we can +-- +2.30.2 + |