File libhx-fixed-buffer-overflow.dif of Package libHX

From 904a46f90dd3f046bfac0b64a5e813d7cd4fca59 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@medozas.de>
Date: Mon, 16 Aug 2010 19:08:51 +0200
Subject: [PATCH] string: fixed buffer overflow in HX_split when too few fields are present

When HX_split is called with a maximum number of desired fields (4th
argument != 0), passing in a string that has less fields than that led
to a buffer overrun (write beyond end of malloc'd area).

CVSS Base Score: 10
- Impact Subscore: 10
- Exploitability Subscore: 10
CVSS Temporal Score: 7.4
CVSS Environmental Score: Undefined
Overall CVSS Score: 7.4

CVSS Base vector:: AV:N/AC:L/Au:N/C:C/I:C/A:C
- AV: libHX may be used by network services
- Au: some services may not require authentication
- A: can cause crash when result is freed

CVSS Temporal vectors:: RL:O/RC:C

Affects all versions prior to, and including, 3.5.
---
 src/string.c      |    2 +-
 src/tx-string.cpp |   12 ++++++++++++
 3 files changed, 15 insertions(+), 1 deletions(-)

Index: libHX-2.9/src/string.c
===================================================================
--- libHX-2.9.orig/src/string.c
+++ libHX-2.9/src/string.c
@@ -135,7 +135,7 @@ EXPORT_SYMBOL char **HX_split(const char
 		}
 	}
 
-	if (max == 0)
+	if (max == 0 || *cp < max)
 		max = *cp;
 	else if (*cp > max)
 		*cp = max;
Index: libHX-2.9/src/tx-string.cpp
===================================================================
--- libHX-2.9.orig/src/tx-string.cpp
+++ libHX-2.9/src/tx-string.cpp
@@ -132,6 +132,17 @@ static void t_split(void)
 	free(a1);
 }
 
+static void t_split2(void)
+{
+       static const char tmp[] = "";
+       int c = 0;
+       char **a;
+
+       a = HX_split(tmp, " ", &c, 6);
+       printf("Got %d fields\n", c);
+       HX_zvecfree(a);
+}
+
 int main(int argc, const char **argv)
 {
 	hxmc_t *tx = NULL;
@@ -151,5 +162,6 @@ int main(int argc, const char **argv)
 	t_strncat();
 	t_strsep();
 	t_split();
+	t_split2();
 	return EXIT_SUCCESS;
 }