blob: dea298634f0d0e1f63a9c6f987ad4e5c2a5480d2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
Integer overflow in src/zm.c:zsdata() causes crash in sz and can leak information to receiver.
Patch taken from Fedora.
CVE: CVE-2018-10195
Upstream-Status: Inappropriate (dead upstream)
Signed-off-by: Ross Burton <ross.burton@intel.com>
diff -urN lrzsz-0.12.20/src/zm.c lrzsz-0.12.20.new/src/zm.c
--- lrzsz-0.12.20/src/zm.c Tue Dec 29 09:48:38 1998
+++ lrzsz-0.12.20.new/src/zm.c Tue Oct 8 12:46:58 2002
@@ -431,10 +431,12 @@
VPRINTF(3,("zsdata: %lu %s", (unsigned long) length,
Zendnames[(frameend-ZCRCE)&3]));
crc = 0;
- do {
- zsendline(*buf); crc = updcrc((0377 & *buf), crc);
- buf++;
- } while (--length>0);
+
+ for( ; length; length--) {
+ zsendline(*buf); crc = updcrc((0377 & *buf), crc);
+ buf++;
+ }
+
xsendline(ZDLE); xsendline(frameend);
crc = updcrc(frameend, crc);
|
