LogoopenSUSE Build Service > Projects
Sign Up | Log In

View File curl-CVE-2016-8621.patch of Package curl (Project home:mge1512:aide-static)

From b49dcc911ba237a878dded67865e536a65bc2d87 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 4 Oct 2016 16:59:38 +0200
Subject: [PATCH] parsedate: handle cut off numbers better
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

... and don't read outside of the given buffer!

Reported-by: Luật Nguyễn
---
 lib/parsedate.c        | 12 +++++++-----
 tests/data/test517     |  6 ++++++
 tests/libtest/lib517.c |  8 +++++++-
 3 files changed, 20 insertions(+), 6 deletions(-)

Index: curl-7.37.0/lib/parsedate.c
===================================================================
--- curl-7.37.0.orig/lib/parsedate.c	2014-04-25 23:38:47.000000000 +0200
+++ curl-7.37.0/lib/parsedate.c	2016-10-20 15:08:47.592427064 +0200
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -386,15 +386,17 @@ static int parsedate(const char *date, t
       /* a digit */
       int val;
       char *end;
+      int len=0;
       if((secnum == -1) &&
-         (3 == sscanf(date, "%02d:%02d:%02d", &hournum, &minnum, &secnum))) {
+         (3 == sscanf(date, "%02d:%02d:%02d%n",
+                      &hournum, &minnum, &secnum, &len))) {
         /* time stamp! */
-        date += 8;
+        date += len;
       }
       else if((secnum == -1) &&
-              (2 == sscanf(date, "%02d:%02d", &hournum, &minnum))) {
+              (2 == sscanf(date, "%02d:%02d%n", &hournum, &minnum, &len))) {
         /* time stamp without seconds */
-        date += 5;
+        date += len;
         secnum = 0;
       }
       else {
Index: curl-7.37.0/tests/data/test517
===================================================================
--- curl-7.37.0.orig/tests/data/test517	2014-04-25 14:01:03.000000000 +0200
+++ curl-7.37.0/tests/data/test517	2016-10-20 15:08:47.592427064 +0200
@@ -116,6 +116,12 @@ nothing
 81: 20111323 12:34:56 => -1
 82: 20110623 12:34:79 => -1
 83: Wed, 31 Dec 2008 23:59:60 GMT => 1230768000
+84: 20110623 12:3 => 1308830580
+85: 20110623 1:3 => 1308790980
+86: 20110623 1:30 => 1308792600
+87: 20110623 12:12:3 => 1308831123
+88: 20110623 01:12:3 => 1308791523
+89: 20110623 01:99:30 => -1
 </stdout>
 
 # This test case previously tested an overflow case ("2094 Nov 6 =>
Index: curl-7.37.0/tests/libtest/lib517.c
===================================================================
--- curl-7.37.0.orig/tests/libtest/lib517.c	2014-04-25 14:01:03.000000000 +0200
+++ curl-7.37.0/tests/libtest/lib517.c	2016-10-20 15:08:47.592427064 +0200
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -116,6 +116,12 @@ static const char * const dates[]={
   "20111323 12:34:56",
   "20110623 12:34:79",
   "Wed, 31 Dec 2008 23:59:60 GMT", /* leap second */
+  "20110623 12:3",
+  "20110623 1:3",
+  "20110623 1:30",
+  "20110623 12:12:3",
+  "20110623 01:12:3",
+  "20110623 01:99:30",
   NULL
 };