ALT Linux repositórios
S: | 1.3.8-alt0.2.ga3489a6c8 |
5.0: | 1.3.2rel-alt0.M50.1 |
4.1: | 1.3.2rel-alt0.M41.1 |
4.0: | 1.3.0rel-alt2 |
3.0: | 1.3.0rc1-alt2 |
Group :: Sistema/Servidores
RPM: proftpd
Main Changelog Spec Patches Sources Download Gear Bugs e FR Repocop
Patch: proftpd-1.3.0-deb-SA22803.patch
Download
Download
diff -urNad proftpd-dfsg-1.3.0~/src/support.c proftpd-dfsg-1.3.0/src/support.c
--- proftpd-dfsg-1.3.0~/src/support.c 2005-09-28 04:06:26.000000000 +0200
+++ proftpd-dfsg-1.3.0/src/support.c 2006-11-28 13:35:33.000000000 +0100
@@ -632,7 +632,8 @@
char **mptr,**rptr;
char *marr[33],*rarr[33];
char buf[PR_TUNABLE_PATH_MAX] = {'\0'}, *pbuf = NULL;
- size_t mlen = 0, rlen = 0, blen;
+ size_t mlen = 0, rlen = 0;
+ int blen;
int dyn = TRUE;
cp = buf;
@@ -646,7 +647,7 @@
while ((m = va_arg(args, char *)) != NULL && mlen < sizeof(marr)-1) {
char *tmp = NULL;
- size_t count = 0;
+ int count = 0;
if ((r = va_arg(args, char *)) == NULL)
break;
@@ -659,6 +660,12 @@
while (tmp) {
pr_signals_handle();
count++;
+ if (count < 0) {
+ /* Integer overflow. In order to overflow integer range with a count
+ * of escapes, somebody must be doing something very strange.
+ */
+ return s;
+ }
/* Be sure to increment the pointer returned by strstr(3), to
* advance past the beginning of the substring for which we are
@@ -674,6 +681,12 @@
*/
if (count) {
blen += count * (strlen(r) - strlen(m));
+ if (blen < 0) {
+ /* Integer overflow. In order to overflow this, somebody must be
+ * doing something very strange.
+ */
+ return s;
+ }
marr[mlen] = m;
rarr[mlen++] = r;
}
@@ -722,10 +735,11 @@
}
if (!*mptr) {
- if ((cp - pbuf + 1) > blen) {
+ if ((cp - pbuf + 1) >= blen) {
pr_log_pri(PR_LOG_ERR,
"WARNING: attempt to overflow internal ProFTPD buffers");
cp = pbuf + blen - 1;
+ goto done;
}
*cp++ = *src++;
}