1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
From 2cb94a53eb9186bd405120543301e1240b895d86 Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Sun, 21 Feb 2021 21:45:19 -0800
Subject: [PATCH 12/29] CVE-2020-28009: Integer overflow in get_stdinput()
---
src/string.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/src/string.c b/src/string.c
index 3445f8a42..2cdbe7c75 100644
--- a/src/string.c
+++ b/src/string.c
@@ -1147,6 +1147,18 @@ To try to keep things reasonable, we use increments whose size depends on the
existing length of the string. */
unsigned inc = oldsize < 4096 ? 127 : 1023;
+
+if (g->ptr < 0 || g->ptr > g->size || g->size >= INT_MAX/2)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "internal error in gstring_grow (ptr %d size %d)", g->ptr, g->size);
+
+if (count <= 0) return;
+
+if (count >= INT_MAX/2 - g->ptr)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "internal error in gstring_grow (ptr %d count %d)", g->ptr, count);
+
+
g->size = ((p + count + inc) & ~inc) + 1;
/* Try to extend an existing allocation. If the result of calling
@@ -1194,6 +1206,10 @@ string_catn(gstring * g, const uschar *s, int count)
{
int p;
+if (count < 0)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "internal error in string_catn (count %d)", count);
+
if (!g)
{
unsigned inc = count < 4096 ? 127 : 1023;
@@ -1201,8 +1217,13 @@ if (!g)
g = string_get(size);
}
+if (g->ptr < 0 || g->ptr > g->size)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "internal error in string_catn (ptr %d size %d)", g->ptr, g->size);
+
p = g->ptr;
-if (p + count >= g->size)
+
+if (count >= g->size - p)
gstring_grow(g, p, count);
/* Because we always specify the exact number of characters to copy, we can
--
2.30.2
|
