| 1 |
commit: d37ba903d8d0c9c3d7de8280b55229c23cebad18 |
| 2 |
Author: Ulrich Müller <ulm <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Tue Dec 8 16:56:52 2015 +0000 |
| 4 |
Commit: Ulrich Müller <ulm <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Tue Dec 8 16:56:52 2015 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/dev/ulm.git/commit/?id=d37ba903 |
| 7 |
|
| 8 |
put.c: Avoid out of bounds stack read. |
| 9 |
|
| 10 |
Fix the extract() function not to access unnecessary array elements; |
| 11 |
this avoids an out-of-bounds read when called from btoe() or etob(). |
| 12 |
Change the insert() function to use similar logic as extract(). |
| 13 |
|
| 14 |
Bug: 567608 |
| 15 |
|
| 16 |
patchsets/skey/1.1.5/14_all_extract-insert.patch | 84 ++++++++++++++++++++++++ |
| 17 |
1 file changed, 84 insertions(+) |
| 18 |
|
| 19 |
diff --git a/patchsets/skey/1.1.5/14_all_extract-insert.patch b/patchsets/skey/1.1.5/14_all_extract-insert.patch |
| 20 |
new file mode 100644 |
| 21 |
index 0000000..62e3efc |
| 22 |
--- /dev/null |
| 23 |
+++ b/patchsets/skey/1.1.5/14_all_extract-insert.patch |
| 24 |
@@ -0,0 +1,84 @@ |
| 25 |
+https://bugs.gentoo.org/567608 |
| 26 |
+Fix the extract() function not to access unnecessary array elements; |
| 27 |
+this avoids an out-of-bounds read when called from btoe() or etob(). |
| 28 |
+Change the insert() function to use similar logic as extract(). |
| 29 |
+ |
| 30 |
+--- skey-1.1.5-orig/put.c |
| 31 |
++++ skey-1.1.5/put.c |
| 32 |
+@@ -2221,37 +2221,20 @@ |
| 33 |
+ |
| 34 |
+ static void insert(char *s, int x, int start, int length) |
| 35 |
+ { |
| 36 |
+- unsigned char cl; |
| 37 |
+- unsigned char cc; |
| 38 |
+- unsigned char cr; |
| 39 |
+ unsigned int y; |
| 40 |
+- int shift; |
| 41 |
++ int end, i; |
| 42 |
+ |
| 43 |
+ assert(length <= 11); |
| 44 |
+ assert(start >= 0); |
| 45 |
+ assert(length >= 0); |
| 46 |
+ assert(start + length <= 66); |
| 47 |
+ |
| 48 |
+- shift = ((8 - ((start + length) % 8)) % 8); |
| 49 |
+- y = (int) x << shift; |
| 50 |
+- cl = (y >> 16) & 0xff; |
| 51 |
+- cc = (y >> 8) & 0xff; |
| 52 |
+- cr = y & 0xff; |
| 53 |
+- if (shift + length > 16) |
| 54 |
+- { |
| 55 |
+- s[start / 8] |= cl; |
| 56 |
+- s[start / 8 + 1] |= cc; |
| 57 |
+- s[start / 8 + 2] |= cr; |
| 58 |
+- } |
| 59 |
+- else if (shift + length > 8) |
| 60 |
+- { |
| 61 |
+- s[start / 8] |= cc; |
| 62 |
+- s[start / 8 + 1] |= cr; |
| 63 |
+- } |
| 64 |
+- else |
| 65 |
+- { |
| 66 |
+- s[start / 8] |= cr; |
| 67 |
+- } |
| 68 |
++ end = start + length - 1; |
| 69 |
++ y = x << (7 - end % 8); |
| 70 |
++ for (i = end / 8; i >= start / 8; i--) { |
| 71 |
++ s[i] |= y & 0xff; |
| 72 |
++ y >>= 8; |
| 73 |
++ } |
| 74 |
+ } |
| 75 |
+ |
| 76 |
+ static void standard(char *word) |
| 77 |
+@@ -2274,22 +2257,22 @@ |
| 78 |
+ /* Extract 'length' bits from the char array 's' starting with bit 'start' */ |
| 79 |
+ static unsigned int extract(char *s, int start, int length) |
| 80 |
+ { |
| 81 |
+- unsigned char cl; |
| 82 |
+- unsigned char cc; |
| 83 |
+- unsigned char cr; |
| 84 |
+ unsigned int x; |
| 85 |
++ int end, i; |
| 86 |
+ |
| 87 |
+ assert(length <= 11); |
| 88 |
+ assert(start >= 0); |
| 89 |
+ assert(length >= 0); |
| 90 |
+ assert(start + length <= 66); |
| 91 |
+ |
| 92 |
+- cl = s[start / 8]; |
| 93 |
+- cc = s[start / 8 + 1]; |
| 94 |
+- cr = s[start / 8 + 2]; |
| 95 |
+- x = ((int)(cl << 8 | cc) << 8 | cr); |
| 96 |
+- x = x >> (24 - (length + (start % 8))); |
| 97 |
+- x = (x & (0xffff >> (16 - length))); |
| 98 |
++ end = start + length - 1; |
| 99 |
++ x = 0; |
| 100 |
++ for (i = start / 8; i <= end / 8; i++) { |
| 101 |
++ x <<= 8; |
| 102 |
++ x |= (unsigned char)s[i]; |
| 103 |
++ } |
| 104 |
++ x >>= 7 - end % 8; |
| 105 |
++ x &= (1 << length) - 1; |
| 106 |
+ |
| 107 |
+ return x; |
| 108 |
+ } |
Archives