NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
18684d51f4
kumquat-buildroot/package/matio/0002-Fix-illegal-memory-access.patch
Fabrice Fontaine e1af92592e package/matio: add upstream security fixes 
Fix the following CVEs:
 - CVE-2019-17533: Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits
   a certain '\0' character, leading to a heap-based buffer over-read in
   strdup_vprintf when uninitialized memory is accessed.
 - CVE-2019-20017: A stack-based buffer over-read was discovered in
   Mat_VarReadNextInfo5 in mat5.c in matio 1.5.17.
 - CVE-2019-20018: A stack-based buffer over-read was discovered in
   ReadNextCell in mat5.c in matio 1.5.17.
 - CVE-2019-20020: A stack-based buffer over-read was discovered in
   ReadNextStructField in mat5.c in matio 1.5.17.
 - CVE-2019-20052: A memory leak was discovered in Mat_VarCalloc in
   mat.c in matio 1.5.17 because SafeMulDims does not consider the
   rank==0 case.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-05-29 21:54:28 +02:00

48 lines
2.0 KiB
Diff
Raw Blame History

From 7b4699854cc65874e13a8e6944cd8e62fa981068 Mon Sep 17 00:00:00 2001
From: tbeu <tbeu@users.noreply.github.com>
Date: Mon, 11 Nov 2019 21:58:41 +0100
Subject: [PATCH] Fix illegal memory access
As reported by https://github.com/tbeu/matio/issues/128
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Retrieved from:
https://github.com/tbeu/matio/commit/7b4699854cc65874e13a8e6944cd8e62fa981068]
---
src/mat5.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/src/mat5.c b/src/mat5.c
index 7f50da4..b76a331 100644
--- a/src/mat5.c
+++ b/src/mat5.c
@@ -1380,11 +1380,26 @@ ReadNextStructField( mat_t *mat, matvar_t *matvar )
/* Rank and dimension */
if ( uncomp_buf[0] == MAT_T_INT32 ) {
int j;
+ size_t size;
fields[i]->rank = uncomp_buf[1];
nbytes -= fields[i]->rank;
fields[i]->rank /= 4;
- fields[i]->dims = (size_t*)malloc(fields[i]->rank*
- sizeof(*fields[i]->dims));
+ if ( 0 == do_clean && fields[i]->rank > 13 ) {
+ int rank = fields[i]->rank;
+ fields[i]->rank = 0;
+ Mat_Critical("%d is not a valid rank", rank);
+ continue;
+ }
+ err = SafeMul(&size, fields[i]->rank, sizeof(*fields[i]->dims));
+ if ( err ) {
+ if ( do_clean )
+ free(dims);
+ Mat_VarFree(fields[i]);
+ fields[i] = NULL;
+ Mat_Critical("Integer multiplication overflow");
+ continue;
+ }
+ fields[i]->dims = (size_t*)malloc(size);
if ( mat->byteswap ) {
for ( j = 0; j < fields[i]->rank; j++ )
fields[i]->dims[j] = Mat_uint32Swap(dims+j);
Reference in New Issue View Git Blame Copy Permalink