diff options
Diffstat (limited to 'meta/recipes-extended/wget/wget/CVE-2019-5953.patch')
-rw-r--r-- | meta/recipes-extended/wget/wget/CVE-2019-5953.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-extended/wget/wget/CVE-2019-5953.patch b/meta/recipes-extended/wget/wget/CVE-2019-5953.patch new file mode 100644 index 0000000000..e43e8e545b --- /dev/null +++ b/meta/recipes-extended/wget/wget/CVE-2019-5953.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From 692d5c5215de0db482c252492a92fc424cc6a97c Mon Sep 17 00:00:00 2001 | ||
2 | From: Tim Ruehsen <tim.ruehsen@gmx.de> | ||
3 | Date: Fri, 5 Apr 2019 11:50:44 +0200 | ||
4 | Subject: [PATCH] Fix a buffer overflow vulnerability | ||
5 | |||
6 | * src/iri.c(do_conversion): Reallocate the output buffer to a larger | ||
7 | size if it is already full | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | http://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c | ||
11 | CVE: CVE-2019-5953 | ||
12 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
13 | |||
14 | --- | ||
15 | src/iri.c | 12 +++++++++--- | ||
16 | 1 file changed, 9 insertions(+), 3 deletions(-) | ||
17 | |||
18 | Index: wget-1.19.5/src/iri.c | ||
19 | =================================================================== | ||
20 | --- wget-1.19.5.orig/src/iri.c | ||
21 | +++ wget-1.19.5/src/iri.c | ||
22 | @@ -151,8 +151,11 @@ do_conversion (const char *tocode, const | ||
23 | *out = s = xmalloc (outlen + 1); | ||
24 | done = 0; | ||
25 | |||
26 | + DEBUGP (("iconv %s -> %s\n", tocode, fromcode)); | ||
27 | + | ||
28 | for (;;) | ||
29 | { | ||
30 | + DEBUGP (("iconv outlen=%d inlen=%d\n", outlen, inlen)); | ||
31 | if (iconv (cd, (ICONV_CONST char **) &in, &inlen, out, &outlen) != (size_t)(-1) && | ||
32 | iconv (cd, NULL, NULL, out, &outlen) != (size_t)(-1)) | ||
33 | { | ||
34 | @@ -187,11 +190,14 @@ do_conversion (const char *tocode, const | ||
35 | } | ||
36 | else if (errno == E2BIG) /* Output buffer full */ | ||
37 | { | ||
38 | + logprintf (LOG_VERBOSE, | ||
39 | + _("Reallocate output buffer len=%d outlen=%d inlen=%d\n"), len, outlen, inlen); | ||
40 | tooshort++; | ||
41 | done = len; | ||
42 | - len = outlen = done + inlen * 2; | ||
43 | - s = xrealloc (s, outlen + 1); | ||
44 | - *out = s + done; | ||
45 | + len = done + inlen * 2; | ||
46 | + s = xrealloc (s, len + 1); | ||
47 | + *out = s + done - outlen; | ||
48 | + outlen += inlen * 2; | ||
49 | } | ||
50 | else /* Weird, we got an unspecified error */ | ||
51 | { | ||