Overview

File Fix-CVE-2021-31229-bug-26-CVE-2019-20201-bug-16-CVE-2019-20198-bug-20.patch of Package netcdf

From: Egbert Eich <eich@suse.com>
Date: Mon Oct 25 15:52:52 2021 +0200
Subject: Fix CVE-2021-31229 bug 26, CVE-2019-20201 bug 16, CVE-2019-20198 bug 20
Patch-mainline: Not yet
Git-commit: 9b1b7867f337d4256fbc7b5d2bb5bed0889cbe7c
References: 

This Fixes
 https://sourceforge.net/p/ezxml/bugs/26/
 https://sourceforge.net/p/ezxml/bugs/16/
 https://sourceforge.net/p/ezxml/bugs/20/

Signed-off-by: Egbert Eich <eich@suse.com>
---
 netcdf-c-4.8.0/libdap4/ezxml.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/netcdf-c-4.8.0/libdap4/ezxml.c b/netcdf-c-4.8.0/libdap4/ezxml.c
index b11c88a..225bcd8 100644
--- a/libdap4/ezxml.c
+++ b/libdap4/ezxml.c
@@ -327,6 +327,7 @@ short ezxml_internal_dtd(ezxml_root_t root, char *s, size_t len)
 {
     char q, *c, *t, *n = NULL, *v, **ent, **pe;
     int i, j;
+    size_t n_len, n_off;
 
     pe = memcpy(malloc(sizeof(EZXML_NIL)), EZXML_NIL, sizeof(EZXML_NIL));
 
@@ -337,7 +338,13 @@ short ezxml_internal_dtd(ezxml_root_t root, char *s, size_t len)
         else if (! strncmp(s, "<!ENTITY", 8)) { /* parse entity definitions*/
             c = s += strspn(s + 8, EZXML_WS) + 8; /* skip white space separator*/
             n = s + strspn(s, EZXML_WS "%"); /* find name*/
-            *(s = n + strcspn(n, EZXML_WS)) = ';'; /* append ; to name*/
+            n_len = strlen(n);
+            n_off = strcspn(n, EZXML_WS);
+            if(n_off >= n_len) {
+                ezxml_err(root, NULL, "write past buffer (<!ENTITY)");
+                break;
+            }
+            *(s = n + n_off) = ';'; // append ; to name
 
             v = s + strspn(s + 1, EZXML_WS) + 1; /* find value*/
             if ((q = *(v++)) != '"' && q != '\'') { /* skip externals*/
openSUSE Build Service is sponsored by
Places