Commit | Line | Data |
---|---|---|
0c0c20aa AM |
1 | From 2cb94a53eb9186bd405120543301e1240b895d86 Mon Sep 17 00:00:00 2001 |
2 | From: Qualys Security Advisory <qsa@qualys.com> | |
3 | Date: Sun, 21 Feb 2021 21:45:19 -0800 | |
4 | Subject: [PATCH 12/29] CVE-2020-28009: Integer overflow in get_stdinput() | |
5 | ||
6 | --- | |
7 | src/string.c | 23 ++++++++++++++++++++++- | |
8 | 1 file changed, 22 insertions(+), 1 deletion(-) | |
9 | ||
10 | diff --git a/src/string.c b/src/string.c | |
11 | index 3445f8a42..2cdbe7c75 100644 | |
12 | --- a/src/string.c | |
13 | +++ b/src/string.c | |
14 | @@ -1147,6 +1147,18 @@ To try to keep things reasonable, we use increments whose size depends on the | |
15 | existing length of the string. */ | |
16 | ||
17 | unsigned inc = oldsize < 4096 ? 127 : 1023; | |
18 | + | |
19 | +if (g->ptr < 0 || g->ptr > g->size || g->size >= INT_MAX/2) | |
20 | + log_write(0, LOG_MAIN|LOG_PANIC_DIE, | |
21 | + "internal error in gstring_grow (ptr %d size %d)", g->ptr, g->size); | |
22 | + | |
23 | +if (count <= 0) return; | |
24 | + | |
25 | +if (count >= INT_MAX/2 - g->ptr) | |
26 | + log_write(0, LOG_MAIN|LOG_PANIC_DIE, | |
27 | + "internal error in gstring_grow (ptr %d count %d)", g->ptr, count); | |
28 | + | |
29 | + | |
30 | g->size = ((p + count + inc) & ~inc) + 1; | |
31 | ||
32 | /* Try to extend an existing allocation. If the result of calling | |
33 | @@ -1194,6 +1206,10 @@ string_catn(gstring * g, const uschar *s, int count) | |
34 | { | |
35 | int p; | |
36 | ||
37 | +if (count < 0) | |
38 | + log_write(0, LOG_MAIN|LOG_PANIC_DIE, | |
39 | + "internal error in string_catn (count %d)", count); | |
40 | + | |
41 | if (!g) | |
42 | { | |
43 | unsigned inc = count < 4096 ? 127 : 1023; | |
44 | @@ -1201,8 +1217,13 @@ if (!g) | |
45 | g = string_get(size); | |
46 | } | |
47 | ||
48 | +if (g->ptr < 0 || g->ptr > g->size) | |
49 | + log_write(0, LOG_MAIN|LOG_PANIC_DIE, | |
50 | + "internal error in string_catn (ptr %d size %d)", g->ptr, g->size); | |
51 | + | |
52 | p = g->ptr; | |
53 | -if (p + count >= g->size) | |
54 | + | |
55 | +if (count >= g->size - p) | |
56 | gstring_grow(g, p, count); | |
57 | ||
58 | /* Because we always specify the exact number of characters to copy, we can | |
59 | -- | |
60 | 2.30.2 | |
61 |