aboutsummaryrefslogtreecommitdiff
path: root/package/matio/0003-Fix-illegal-memory-access.patch
diff options
context:
space:
mode:
authorGravatar Fabrice Fontaine <fontaine.fabrice@gmail.com>2020-05-02 21:54:38 +0200
committerGravatar Peter Korsgaard <peter@korsgaard.com>2020-05-29 21:54:28 +0200
commite1af92592ec591270ef7f86a56562d119f2a46e1 (patch)
tree8ba2d7bd087cae586773eb15188a05e8ad472dbb /package/matio/0003-Fix-illegal-memory-access.patch
parent75e82c42c6a4612c7385a32dcb82ca9cb5d866bd (diff)
downloadbuildroot-e1af92592ec591270ef7f86a56562d119f2a46e1.tar.gz
buildroot-e1af92592ec591270ef7f86a56562d119f2a46e1.tar.bz2
package/matio: add upstream security fixes
Fix the following CVEs: - CVE-2019-17533: Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed. - CVE-2019-20017: A stack-based buffer over-read was discovered in Mat_VarReadNextInfo5 in mat5.c in matio 1.5.17. - CVE-2019-20018: A stack-based buffer over-read was discovered in ReadNextCell in mat5.c in matio 1.5.17. - CVE-2019-20020: A stack-based buffer over-read was discovered in ReadNextStructField in mat5.c in matio 1.5.17. - CVE-2019-20052: A memory leak was discovered in Mat_VarCalloc in mat.c in matio 1.5.17 because SafeMulDims does not consider the rank==0 case. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'package/matio/0003-Fix-illegal-memory-access.patch')
-rw-r--r--package/matio/0003-Fix-illegal-memory-access.patch46
1 files changed, 46 insertions, 0 deletions
diff --git a/package/matio/0003-Fix-illegal-memory-access.patch b/package/matio/0003-Fix-illegal-memory-access.patch
new file mode 100644
index 0000000000..787207f217
--- /dev/null
+++ b/package/matio/0003-Fix-illegal-memory-access.patch
@@ -0,0 +1,46 @@
+From 65831b7ec829b0ae0ac9d691a2f8fbc2b26af677 Mon Sep 17 00:00:00 2001
+From: tbeu <tbeu@users.noreply.github.com>
+Date: Mon, 11 Nov 2019 22:03:54 +0100
+Subject: [PATCH] Fix illegal memory access
+
+As reported by https://github.com/tbeu/matio/issues/129
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Retrieved from:
+https://github.com/tbeu/matio/commit/65831b7ec829b0ae0ac9d691a2f8fbc2b26af677]
+---
+ src/mat5.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/src/mat5.c b/src/mat5.c
+index b76a331..5e3464e 100644
+--- a/src/mat5.c
++++ b/src/mat5.c
+@@ -989,10 +989,26 @@ ReadNextCell( mat_t *mat, matvar_t *matvar )
+ /* Rank and Dimension */
+ if ( uncomp_buf[0] == MAT_T_INT32 ) {
+ int j;
++ size_t size;
+ cells[i]->rank = uncomp_buf[1];
+ nbytes -= cells[i]->rank;
+ cells[i]->rank /= 4;
+- cells[i]->dims = (size_t*)malloc(cells[i]->rank*sizeof(*cells[i]->dims));
++ if ( 0 == do_clean && cells[i]->rank > 13 ) {
++ int rank = cells[i]->rank;
++ cells[i]->rank = 0;
++ Mat_Critical("%d is not a valid rank", rank);
++ continue;
++ }
++ err = SafeMul(&size, cells[i]->rank, sizeof(*cells[i]->dims));
++ if ( err ) {
++ if ( do_clean )
++ free(dims);
++ Mat_VarFree(cells[i]);
++ cells[i] = NULL;
++ Mat_Critical("Integer multiplication overflow");
++ continue;
++ }
++ cells[i]->dims = (size_t*)malloc(size);
+ if ( mat->byteswap ) {
+ for ( j = 0; j < cells[i]->rank; j++ )
+ cells[i]->dims[j] = Mat_uint32Swap(dims + j);