Overview

File curl-CVE-2018-16839.patch of Package curl.34221

From 4df8ff21144236497fc92521d79fbca2dc079686 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 20 Mar 2018 15:15:14 +0100
Subject: [PATCH 1/2] vauth/cleartext: fix integer overflow check

Make the integer overflow check not rely on the undefined behavior that
a size_t wraps around on overflow.

Detected by lgtm.com
Closes #2408

Upstream-commit: c1366571b609407cf0d4d9f4a2769d29e1313151
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 lib/curl_ntlm_core.c  | 11 +----------
 lib/curl_setup.h      |  9 +++++++++
 lib/vauth/cleartext.c | 14 ++++----------
 3 files changed, 14 insertions(+), 20 deletions(-)

Index: curl-7.37.0/lib/curl_sasl.c
===================================================================
--- curl-7.37.0.orig/lib/curl_sasl.c
+++ curl-7.37.0/lib/curl_sasl.c
@@ -149,7 +149,10 @@ CURLcode Curl_sasl_create_plain_message(
 
   ulen = strlen(userp);
   plen = strlen(passwdp);
-
+  /* Compute binary message length. Check for overflows. */
+  if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
+      return CURLE_OUT_OF_MEMORY;
+  
   plainauth = malloc(2 * ulen + plen + 2);
   if(!plainauth) {
     *outlen = 0;
openSUSE Build Service is sponsored by
Places