File libostree-CVE-2014-9862.patch of Package libostree.25683
diff -urpN libostree-2021.6/bsdiff/bspatch.c libostree-2022.5/bsdiff/bspatch.c
--- libostree-2021.6/bsdiff/bspatch.c 2022-08-29 12:09:02.256353712 -0500
+++ libostree-2022.5/bsdiff/bspatch.c 2022-05-09 11:29:09.000000000 -0500
@@ -25,6 +25,7 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
+#include <limits.h>
#include "bspatch.h"
static int64_t offtin(uint8_t *buf)
@@ -62,7 +63,9 @@ int bspatch(const uint8_t* old, int64_t
};
/* Sanity-check */
- if(newpos+ctrl[0]>newsize)
+ if (ctrl[0]<0 || ctrl[0]>INT_MAX ||
+ ctrl[1]<0 || ctrl[1]>INT_MAX ||
+ newpos+ctrl[0]>newsize)
return -1;
/* Read diff string */
@@ -102,6 +105,8 @@ int bspatch(const uint8_t* old, int64_t
#include <stdio.h>
#include <string.h>
#include <err.h>
+#include <sys/types.h>
+#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
@@ -129,6 +134,7 @@ int main(int argc,char * argv[])
int64_t oldsize, newsize;
BZFILE* bz2;
struct bspatch_stream stream;
+ struct stat sb;
if(argc!=4) errx(1,"usage: %s oldfile newfile patchfile\n",argv[0]);
@@ -158,6 +164,7 @@ int main(int argc,char * argv[])
((old=malloc(oldsize+1))==NULL) ||
(lseek(fd,0,SEEK_SET)!=0) ||
(read(fd,old,oldsize)!=oldsize) ||
+ (fstat(fd, &sb)) ||
(close(fd)==-1)) err(1,"%s",argv[1]);
if((new=malloc(newsize+1))==NULL) err(1,NULL);
@@ -174,7 +181,7 @@ int main(int argc,char * argv[])
fclose(f);
/* Write the new file */
- if(((fd=open(argv[2],O_CREAT|O_TRUNC|O_WRONLY,0666))<0) ||
+ if(((fd=open(argv[2],O_CREAT|O_TRUNC|O_WRONLY,sb.st_mode))<0) ||
(write(fd,new,newsize)!=newsize) || (close(fd)==-1))
err(1,"%s",argv[2]);