diff options
Diffstat (limited to 'debian/patches/0001-asprintf.patch')
-rw-r--r-- | debian/patches/0001-asprintf.patch | 118 |
1 files changed, 118 insertions, 0 deletions
diff --git a/debian/patches/0001-asprintf.patch b/debian/patches/0001-asprintf.patch new file mode 100644 index 0000000..b3a74fa --- /dev/null +++ b/debian/patches/0001-asprintf.patch @@ -0,0 +1,118 @@ +From: Colin Watson <cjwatson@debian.org> +Date: Sun, 3 Jan 2021 02:06:39 -0800 +Subject: Fix some non-exploitable buffer overflows in mkbootmsg (LP: #27011). + +--- + gfxboot-compile.c | 32 ++++++++++++++++++++------------ + 1 file changed, 20 insertions(+), 12 deletions(-) + +diff --git a/gfxboot-compile.c b/gfxboot-compile.c +index dd882e8..835450e 100644 +--- a/gfxboot-compile.c ++++ b/gfxboot-compile.c +@@ -1763,7 +1763,7 @@ void log_cline(FILE *lf) + } + + +-char *add_to_line(char *s) ++char *add_to_line(const char *s) + { + static char buf[10240] = {}; + static int ind = 0; +@@ -1812,7 +1812,7 @@ void decompile(unsigned char *data, unsigned size) + unsigned inst_size; + dict_t *d; + unsigned type; +- char *s, buf[1024]; ++ char *s, *buf; + unsigned char *p; + + // setup initial vocabulary +@@ -1889,13 +1889,15 @@ void decompile(unsigned char *data, unsigned size) + } + + case t_unsigned: +- sprintf(buf, "%d", val); ++ asprintf(&buf, "%d", val); + add_to_line(buf); ++ free(buf); + break; + + case t_string: ++ buf = malloc(strlen((char *) data + i + u + 1) * 4 + 3); + buf[0] = '"'; +- for(j = 1, p = data + i + u + 1; *p && j < sizeof buf - 10; p++) { ++ for(j = 1, p = data + i + u + 1; *p; p++) { + if(*p == '\n') { + buf[j++] = '\\'; + buf[j++] = 'n'; +@@ -1917,16 +1919,18 @@ void decompile(unsigned char *data, unsigned size) + buf[j++] = '"'; + buf[j] = 0; + s = add_to_line(buf); ++ free(buf); + break; + + case t_sec: + if(val < dict_size && dict[val].name) { +- sprintf(buf, "%s", dict[val].name); ++ asprintf(&buf, "%s", dict[val].name); + } + else { +- sprintf(buf, "name_%d", val); ++ asprintf(&buf, "name_%d", val); + } + s = add_to_line(buf); ++ free(buf); + printf("%s\n", s); + add_to_line(""); + break; +@@ -1939,38 +1943,42 @@ void decompile(unsigned char *data, unsigned size) + } + } + if(s) { +- sprintf(buf, "%s", s); ++ asprintf(&buf, "%s", s); + } + else { +- sprintf(buf, "prim_<%d>", val); ++ asprintf(&buf, "prim_<%d>", val); + } + s = add_to_line(buf); ++ free(buf); + printf("%s\n", s); + add_to_line(""); + break; + + case t_bool: +- sprintf(buf, "%s", val ? "true" : "false"); ++ asprintf(&buf, "%s", val ? "true" : "false"); + s = add_to_line(buf); ++ free(buf); + printf("%s\n", s); + add_to_line(""); + break; + + case t_none: +- sprintf(buf, ".undef"); ++ asprintf(&buf, ".undef"); + s = add_to_line(buf); ++ free(buf); + printf("%s\n", s); + add_to_line(""); + break; + + case t_dict_idx: + if(val < dict_size && dict[val].name) { +- sprintf(buf, "/%s", dict[val].name); ++ asprintf(&buf, "/%s", dict[val].name); + } + else { +- sprintf(buf, "/name_%d", val); ++ asprintf(&buf, "/name_%d", val); + } + add_to_line(buf); ++ free(buf); + break; + + default: |