1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
From 692d5c5215de0db482c252492a92fc424cc6a97c Mon Sep 17 00:00:00 2001
From: Tim Ruehsen <tim.ruehsen@gmx.de>
Date: Fri, 5 Apr 2019 11:50:44 +0200
Subject: [PATCH] Fix a buffer overflow vulnerability
* src/iri.c(do_conversion): Reallocate the output buffer to a larger
size if it is already full
Upstream-Status: Backport
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c
CVE: CVE-2019-5953
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
src/iri.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
Index: wget-1.19.5/src/iri.c
===================================================================
--- wget-1.19.5.orig/src/iri.c
+++ wget-1.19.5/src/iri.c
@@ -151,8 +151,11 @@ do_conversion (const char *tocode, const
*out = s = xmalloc (outlen + 1);
done = 0;
+ DEBUGP (("iconv %s -> %s\n", tocode, fromcode));
+
for (;;)
{
+ DEBUGP (("iconv outlen=%d inlen=%d\n", outlen, inlen));
if (iconv (cd, (ICONV_CONST char **) &in, &inlen, out, &outlen) != (size_t)(-1) &&
iconv (cd, NULL, NULL, out, &outlen) != (size_t)(-1))
{
@@ -187,11 +190,14 @@ do_conversion (const char *tocode, const
}
else if (errno == E2BIG) /* Output buffer full */
{
+ logprintf (LOG_VERBOSE,
+ _("Reallocate output buffer len=%d outlen=%d inlen=%d\n"), len, outlen, inlen);
tooshort++;
done = len;
- len = outlen = done + inlen * 2;
- s = xrealloc (s, outlen + 1);
- *out = s + done;
+ len = done + inlen * 2;
+ s = xrealloc (s, len + 1);
+ *out = s + done - outlen;
+ outlen += inlen * 2;
}
else /* Weird, we got an unspecified error */
{
|