Репозитории ALT
| S: | 1.3.8-alt0.2.ga3489a6c8 |
| 5.1: | 1.3.3rc1-alt3 |
| 4.1: | 1.3.2rel-alt0.M41.1 |
| 4.0: | 1.3.0rel-alt2 |
| 3.0: | 1.3.0rc1-alt2 |
Группа :: Система/Серверы
Пакет: proftpd
навигация по пакетам
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: proftpd-1.3.0-deb-SA22803.patch
Скачать
Скачать
diff -urNad proftpd-dfsg-1.3.0~/src/support.c proftpd-dfsg-1.3.0/src/support.c
--- proftpd-dfsg-1.3.0~/src/support.c 2005-09-28 04:06:26.000000000 +0200
+++ proftpd-dfsg-1.3.0/src/support.c 2006-11-28 13:35:33.000000000 +0100
@@ -632,7 +632,8 @@
char **mptr,**rptr;
char *marr[33],*rarr[33];
char buf[PR_TUNABLE_PATH_MAX] = {'\0'}, *pbuf = NULL;- size_t mlen = 0, rlen = 0, blen;
+ size_t mlen = 0, rlen = 0;
+ int blen;
int dyn = TRUE;
cp = buf;
@@ -646,7 +647,7 @@
while ((m = va_arg(args, char *)) != NULL && mlen < sizeof(marr)-1) {char *tmp = NULL;
- size_t count = 0;
+ int count = 0;
if ((r = va_arg(args, char *)) == NULL)
break;
@@ -659,6 +660,12 @@
while (tmp) {pr_signals_handle();
count++;
+ if (count < 0) {+ /* Integer overflow. In order to overflow integer range with a count
+ * of escapes, somebody must be doing something very strange.
+ */
+ return s;
+ }
/* Be sure to increment the pointer returned by strstr(3), to
* advance past the beginning of the substring for which we are
@@ -674,6 +681,12 @@
*/
if (count) {blen += count * (strlen(r) - strlen(m));
+ if (blen < 0) {+ /* Integer overflow. In order to overflow this, somebody must be
+ * doing something very strange.
+ */
+ return s;
+ }
marr[mlen] = m;
rarr[mlen++] = r;
}
@@ -722,10 +735,11 @@
}
if (!*mptr) {- if ((cp - pbuf + 1) > blen) {+ if ((cp - pbuf + 1) >= blen) {pr_log_pri(PR_LOG_ERR,
"WARNING: attempt to overflow internal ProFTPD buffers");
cp = pbuf + blen - 1;
+ goto done;
}
*cp++ = *src++;
}