File libical-timezone-use-after-free.patch of Package libical.7047
From 6bcc779a17a2d286e4c3cb958ddf369cc01cb42c Mon Sep 17 00:00:00 2001
From: Allen Winter <allen.winter@kdab.com>
Date: Thu, 15 Dec 2016 18:17:10 -0500
Subject: [PATCH] icaltimezone.c - fix heap-use-after-free caused by
fetch_lat_long_from_string() issue#262
Backported by Mike Gorse <mgorse@suse.com>
---
diff -urp libical-1.0.1.orig/src/libical/icaltimezone.c libical-1.0.1/src/libical/icaltimezone.c
--- libical-1.0.1.orig/src/libical/icaltimezone.c 2014-10-09 10:07:05.000000000 -0500
+++ libical-1.0.1/src/libical/icaltimezone.c 2017-06-19 16:08:11.425132052 -0500
@@ -49,6 +49,7 @@
#include <pthread.h>
static pthread_mutex_t builtin_mutex = PTHREAD_MUTEX_INITIALIZER;
#endif
+#include <stddef.h> /* for ptrdiff_t */
#ifdef WIN32
#ifndef _WIN32_WCE
@@ -1639,34 +1640,34 @@ fetch_lat_long_from_string (const char
/* We need to parse the latitude/longitude co-ordinates and location fields */
sptr = (char *) str;
- while (*sptr != '\t')
+ while (*sptr != '\t' && *sptr != '\0')
sptr++;
temp = ++sptr;
- while (*sptr != '\t')
+ while (*sptr != '\t' && *sptr != '\0')
sptr++;
len = sptr-temp;
lat = (char *) malloc (len + 1);
lat = strncpy (lat, temp, len);
lat [len] = '\0';
- while (*sptr != '\t')
+ while (*sptr != '\t' && *sptr != '\0')
sptr++;
loc = ++sptr;
- while (!isspace ((int)(*sptr)))
+ while (!isspace ((int)(*sptr)) && *sptr != '\0')
sptr++;
- len = sptr - loc;
+ len = (ptrdiff_t)(sptr - loc);
location = strncpy (location, loc, len);
location [len] = '\0';
#if defined(sun) && defined(__SVR4)
/* Handle EET, MET and WET in zone_sun.tab. */
if (!strcmp (location, "Europe/")) {
- while (*sptr != '\t')
+ while (*sptr != '\t' && *sptr != '\0')
sptr++;
loc = ++sptr;
- while (!isspace (*sptr))
+ while (!isspace (*sptr) && *sptr != '\0')
sptr++;
- len = sptr - loc;
+ len = (ptrdiff_t)sptr - loc);
location = strncpy (location, loc, len);
location [len] = '\0';
}
