diff options
author | Robert Marko <robert.marko@sartura.hr> | 2020-05-12 22:18:33 +0200 |
---|---|---|
committer | Jo-Philipp Wich <jo@mein.io> | 2020-05-13 11:16:43 +0200 |
commit | bc0288b76816578f5aeccb2abd679f82bfc5738e (patch) | |
tree | 288954142579aeac4854e5c0af1d273551e54486 /package/libs/libjson-c/patches/001-Protect-array_list_del_idx-against-size_t-overflow.patch | |
parent | 2308644b0ce938bbdfe6155b12aae85dd02beea7 (diff) | |
download | upstream-bc0288b76816578f5aeccb2abd679f82bfc5738e.tar.gz upstream-bc0288b76816578f5aeccb2abd679f82bfc5738e.tar.bz2 upstream-bc0288b76816578f5aeccb2abd679f82bfc5738e.zip |
libjson-c: backport security fixes
This backports upstream fixes for the out of bounds write vulnerability in json-c.
It was reported and patches in this upstream PR: https://github.com/json-c/json-c/pull/592
Addresses CVE-2020-12762
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat (limited to 'package/libs/libjson-c/patches/001-Protect-array_list_del_idx-against-size_t-overflow.patch')
-rw-r--r-- | package/libs/libjson-c/patches/001-Protect-array_list_del_idx-against-size_t-overflow.patch | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/package/libs/libjson-c/patches/001-Protect-array_list_del_idx-against-size_t-overflow.patch b/package/libs/libjson-c/patches/001-Protect-array_list_del_idx-against-size_t-overflow.patch new file mode 100644 index 0000000000..456fbf35ff --- /dev/null +++ b/package/libs/libjson-c/patches/001-Protect-array_list_del_idx-against-size_t-overflow.patch @@ -0,0 +1,27 @@ +From 099016b7e8d70a6d5dd814e788bba08d33d48426 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann <tobias@stoeckmann.org> +Date: Mon, 4 May 2020 19:41:16 +0200 +Subject: [PATCH 1/2] Protect array_list_del_idx against size_t overflow. + +If the assignment of stop overflows due to idx and count being +larger than SIZE_T_MAX in sum, out of boundary access could happen. + +It takes invalid usage of this function for this to happen, but +I decided to add this check so array_list_del_idx is as safe against +bad usage as the other arraylist functions. +--- + arraylist.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arraylist.c ++++ b/arraylist.c +@@ -135,6 +135,9 @@ array_list_del_idx( struct array_list *a + { + size_t i, stop; + ++ /* Avoid overflow in calculation with large indices. */ ++ if (idx > SIZE_T_MAX - count) ++ return -1; + stop = idx + count; + if ( idx >= arr->length || stop > arr->length ) return -1; + for ( i = idx; i < stop; ++i ) { |