File libical-timezone-use-after-free.patch of Package libical.17518
From 6bcc779a17a2d286e4c3cb958ddf369cc01cb42c Mon Sep 17 00:00:00 2001
From: Allen Winter <allen.winter@kdab.com>
Date: Thu, 15 Dec 2016 18:17:10 -0500
Subject: [PATCH] icaltimezone.c - fix heap-use-after-free caused by
fetch_lat_long_from_string() issue#262
Backported by Mike Gorse <mgorse@suse.com>
---
diff -urp libical-2.0.0.orig/src/libical/icaltimezone.c libical-2.0.0/src/libical/icaltimezone.c
--- libical-2.0.0.orig/src/libical/icaltimezone.c 2015-12-28 15:44:53.000000000 -0600
+++ libical-2.0.0/src/libical/icaltimezone.c 2017-06-19 15:48:27.789017341 -0500
@@ -1520,39 +1520,39 @@ static int fetch_lat_long_from_string(co
/* We need to parse the latitude/longitude co-ordinates and location fields */
sptr = (char *)str;
- while (*sptr != '\t') {
+ while ((*sptr != '\t') && (*sptr != '\0')) {
sptr++;
}
temp = ++sptr;
- while (*sptr != '\t') {
+ while (*sptr != '\t' && *sptr != '\0') {
sptr++;
}
len = (ptrdiff_t) (sptr - temp);
lat = (char *)malloc(len + 1);
lat = strncpy(lat, temp, len);
lat[len] = '\0';
- while (*sptr != '\t') {
+ while ((*sptr != '\t') && (*sptr != '\0')) {
sptr++;
}
loc = ++sptr;
- while (!isspace((int)(*sptr))) {
+ while (!isspace((int)(*sptr)) && (*sptr != '\0')) {
sptr++;
}
- len = (ptrdiff_t) (sptr - loc);
+ len = (ptrdiff_t)(sptr - loc);
location = strncpy(location, loc, len);
location[len] = '\0';
#if defined(sun) && defined(__SVR4)
/* Handle EET, MET and WET in zone_sun.tab. */
if (!strcmp(location, "Europe/")) {
- while (*sptr != '\t') {
+ while ((*sptr != '\t') && (*sptr != '\0')) {
sptr++;
}
loc = ++sptr;
- while (!isspace(*sptr)) {
+ while (!isspace(*sptr) && (*sptr != '\0')) {
sptr++;
}
- len = sptr - loc;
+ len = (ptrdiff_t)(sptr - loc);
location = strncpy(location, loc, len);
location[len] = '\0';
}
Only in libical-2.0.0/src/libical: icaltimezone.c.orig
