Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/libtasn1/patches/libtasn1-04-cve-2014-3469.patch
changeset 4723 4193dfeb0e39 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libtasn1/patches/libtasn1-04-cve-2014-3469.patch	Thu Jul 30 17:45:10 2015 -0700
@@ -0,0 +1,86 @@
+Source:
+Internal
+
+Info:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469
+The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 
+before 3.6 allows context-dependent attackers to cause a denial of service 
+(NULL pointer dereference and crash) via a NULL value in an ivalue argument.
+
+Status:
+Need to determine if this patch has been sent upstream.
+
+--- libtasn1-2.8/lib/element.c.orig	2014-06-05 10:41:52.955725412 +0530
++++ libtasn1-2.8/lib/element.c	2014-06-05 11:09:52.177695875 +0530
+@@ -113,8 +113,11 @@ _asn1_convert_integer (const char *value
+     /* VALUE_OUT is too short to contain the value conversion */
+     return ASN1_MEM_ERROR;
+ 
+-  for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++)
++  if (value_out != NULL)
++  {
++    for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++)
+     value_out[k2 - k] = val[k2];
++  }
+ 
+ #if 0
+   printf ("_asn1_convert_integer: valueIn=%s, lenOut=%d", value, *len);
+@@ -622,7 +625,8 @@ asn1_write_value (ASN1_TYPE node_root, c
+ 	if (ptr_size < data_size) { \
+ 		return ASN1_MEM_ERROR; \
+ 	} else { \
+-		memcpy( ptr, data, data_size); \
++		if (ptr && data_size > 0) \
++			memcpy( ptr, data, data_size); \
+ 	}
+ 
+ #define PUT_STR_VALUE( ptr, ptr_size, data) \
+@@ -631,36 +635,39 @@ asn1_write_value (ASN1_TYPE node_root, c
+ 		return ASN1_MEM_ERROR; \
+ 	} else { \
+ 		/* this strcpy is checked */ \
+-		strcpy(ptr, data); \
++		if (ptr) { \
++			strcpy(ptr, data); \
++		} \
+ 	}
+ 
+ #define ADD_STR_VALUE( ptr, ptr_size, data) \
+-	*len = (int) strlen(data) + 1; \
+-	if (ptr_size < (int) strlen(ptr)+(*len)) { \
++	*len += strlen(data); \
++	if (ptr_size < (int) *len) { \
++		(*len)++; \
+ 		return ASN1_MEM_ERROR; \
+ 	} else { \
+ 		/* this strcat is checked */ \
+-		strcat(ptr, data); \
++		if (ptr) strcat (ptr, data); \
+ 	}
+-
+ /**
+  * asn1_read_value:
+  * @root: pointer to a structure.
+  * @name: the name of the element inside a structure that you want to read.
+  * @ivalue: vector that will contain the element's content, must be a
+- *   pointer to memory cells already allocated.
++ *   pointer to memory cells already allocated (may be %NULL).
+  * @len: number of bytes of *value: value[0]..value[len-1]. Initialy
+  *   holds the sizeof value.
+  *
+  * Returns the value of one element inside a structure.
+- *
+- * If an element is OPTIONAL and the function "read_value" returns
++ * If an element is OPTIONAL and this returns
+  * %ASN1_ELEMENT_NOT_FOUND, it means that this element wasn't present
+  * in the der encoding that created the structure.  The first element
+  * of a SEQUENCE_OF or SET_OF is named "?1". The second one "?2" and
+  * so on.
+  *
+- * INTEGER: VALUE will contain a two's complement form integer.
++ * Note that there can be valid values with length zero. In these case
++ * this function will succeed and @len will be zero.
++ *
+  *
+  *            integer=-1  -> value[0]=0xFF , len=1.
+  *            integer=1   -> value[0]=0x01 , len=1.
upstream/oracle/userland-gate