blob: d9a7f4cdaab9e82e8d30910e4723a9c2bde77805 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
From: Tim Ruehsen <tim.ruehsen@gmx.de>
Date: Fri, 5 Apr 2019 11:50:44 +0200
Subject: Fix a buffer overflow vulnerability
Origin: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c,
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=562eacb76a2b64d5dc80a443f0f739bc9ef76c17
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-5953
Bug-Debian: https://bugs.debian.org/926389
* src/iri.c(do_conversion): Reallocate the output buffer to a larger
size if it is already full
---
src/iri.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/src/iri.c
+++ b/src/iri.c
@@ -189,9 +189,10 @@ do_conversion (const char *tocode, const
{
tooshort++;
done = len;
- len = outlen = done + inlen * 2;
- s = xrealloc (s, outlen + 1);
- *out = s + done;
+ len = done + inlen * 2;
+ s = xrealloc (s, len + 1);
+ *out = s + done - outlen;
+ outlen += inlen * 2;
}
else /* Weird, we got an unspecified error */
{
|
