Overview

File bsc1185383.4_CVE-2019-25032.3_226298bb.patch of Package unbound.32015

From 226298bbd36f1f0fd9608e98c2ae85988b7bbdb8 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Tue, 19 Nov 2019 15:38:05 +0100
Subject: [PATCH] - Fix Integer Overflow in Regional Allocator,   reported by
 X41 D-Sec.

---
 configure       |   33 +++++++++++++++++++++++++++++++++
 configure.ac    |    1 +
 util/regional.c |   12 +++++++++++-
 3 files changed, 45 insertions(+), 1 deletion(-)

--- configure.ac
+++ configure.ac	2022-01-17 12:52:10.653451495 +0000
@@ -360,6 +360,7 @@ AC_INCLUDES_DEFAULT
 # endif
 #endif
 ])
+AC_CHECK_SIZEOF(size_t)
 
 # add option to disable the evil rpath
 ACX_ARG_RPATH
--- configure
+++ configure	2022-01-17 12:52:10.653451495 +0000
@@ -14828,6 +14828,39 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
+# The cast to long int works around a bug in the HP C Compiler
+# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
+# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
+# This bug is HP SR number 8606223364.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of size_t" >&5
+$as_echo_n "checking size of size_t... " >&6; }
+if ${ac_cv_sizeof_size_t+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (size_t))" "ac_cv_sizeof_size_t"        "$ac_includes_default"; then :
+
+else
+  if test "$ac_cv_type_size_t" = yes; then
+     { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error 77 "cannot compute sizeof (size_t)
+See \`config.log' for more details" "$LINENO" 5; }
+   else
+     ac_cv_sizeof_size_t=0
+   fi
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_size_t" >&5
+$as_echo "$ac_cv_sizeof_size_t" >&6; }
+
+
+
+cat >>confdefs.h <<_ACEOF
+#define SIZEOF_SIZE_T $ac_cv_sizeof_size_t
+_ACEOF
+
+
 
 # add option to disable the evil rpath
 
--- util/regional.c
+++ util/regional.c	2022-01-17 12:52:10.653451495 +0000
@@ -120,8 +120,18 @@ regional_destroy(struct regional *r)
 void *
 regional_alloc(struct regional *r, size_t size)
 {
-	size_t a = ALIGN_UP(size, ALIGNMENT);
+	size_t a;
 	void *s;
+	if(
+#if SIZEOF_SIZE_T == 8
+		(unsigned long long)size >= 0xffffffffffffff00ULL
+#else
+		(unsigned)size >= (unsigned)0xffffff00UL
+#endif
+		)
+		return NULL; /* protect against integer overflow in
+			malloc and ALIGN_UP */
+	a = ALIGN_UP(size, ALIGNMENT);
 	/* large objects */
 	if(a > REGIONAL_LARGE_OBJECT_SIZE) {
 		s = malloc(ALIGNMENT + size);
openSUSE Build Service is sponsored by
Places