diff options
Diffstat (limited to 'debian/patches/0001-asprintf.patch')
-rw-r--r-- | debian/patches/0001-asprintf.patch | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/debian/patches/0001-asprintf.patch b/debian/patches/0001-asprintf.patch new file mode 100644 index 0000000..d62750b --- /dev/null +++ b/debian/patches/0001-asprintf.patch @@ -0,0 +1,113 @@ +Author: Colin Watson <cjwatson@debian.org> +Description: + Fix some non-exploitable buffer overflows in mkbootmsg (LP: #27011). + +diff -Naurp gfxboot.orig/gfxboot-compile.c gfxboot/gfxboot-compile.c +--- gfxboot.orig/gfxboot-compile.c ++++ gfxboot/gfxboot-compile.c +@@ -1765,7 +1765,7 @@ void log_cline(FILE *lf) + } + + +-char *add_to_line(char *s) ++char *add_to_line(const char *s) + { + static char buf[10240] = {}; + static int ind = 0; +@@ -1814,7 +1814,7 @@ void decompile(unsigned char *data, unsi + unsigned inst_size; + dict_t *d; + unsigned type; +- char *s, buf[1024]; ++ char *s, *buf; + unsigned char *p; + + // setup initial vocabulary +@@ -1891,13 +1891,15 @@ void decompile(unsigned char *data, unsi + } + + case t_unsigned: +- sprintf(buf, "%d", val); ++ asprintf(&buf, "%d", val); + add_to_line(buf); ++ free(buf); + break; + + case t_string: ++ buf = malloc(strlen((char *) data + i + u + 1) * 4 + 3); + buf[0] = '"'; +- for(j = 1, p = data + i + u + 1; *p && j < sizeof buf - 10; p++) { ++ for(j = 1, p = data + i + u + 1; *p; p++) { + if(*p == '\n') { + buf[j++] = '\\'; + buf[j++] = 'n'; +@@ -1919,16 +1921,18 @@ void decompile(unsigned char *data, unsi + buf[j++] = '"'; + buf[j] = 0; + s = add_to_line(buf); ++ free(buf); + break; + + case t_sec: + if(val < dict_size && dict[val].name) { +- sprintf(buf, "%s", dict[val].name); ++ asprintf(&buf, "%s", dict[val].name); + } + else { +- sprintf(buf, "name_%d", val); ++ asprintf(&buf, "name_%d", val); + } + s = add_to_line(buf); ++ free(buf); + printf("%s\n", s); + add_to_line(""); + break; +@@ -1941,38 +1945,42 @@ void decompile(unsigned char *data, unsi + } + } + if(s) { +- sprintf(buf, "%s", s); ++ asprintf(&buf, "%s", s); + } + else { +- sprintf(buf, "prim_<%d>", val); ++ asprintf(&buf, "prim_<%d>", val); + } + s = add_to_line(buf); ++ free(buf); + printf("%s\n", s); + add_to_line(""); + break; + + case t_bool: +- sprintf(buf, "%s", val ? "true" : "false"); ++ asprintf(&buf, "%s", val ? "true" : "false"); + s = add_to_line(buf); ++ free(buf); + printf("%s\n", s); + add_to_line(""); + break; + + case t_none: +- sprintf(buf, ".undef"); ++ asprintf(&buf, ".undef"); + s = add_to_line(buf); ++ free(buf); + printf("%s\n", s); + add_to_line(""); + break; + + case t_dict_idx: + if(val < dict_size && dict[val].name) { +- sprintf(buf, "/%s", dict[val].name); ++ asprintf(&buf, "/%s", dict[val].name); + } + else { +- sprintf(buf, "/name_%d", val); ++ asprintf(&buf, "/name_%d", val); + } + add_to_line(buf); ++ free(buf); + break; + + default: |