File libofx-CVE-2017-14731.patch of Package libofx
From fad8418f34094de42e1307113598e0e8bee0a2bd Mon Sep 17 00:00:00 2001
From: Christian Stimming <christian@cstimming.de>
Date: Sat, 28 Oct 2017 17:43:35 +0200
Subject: [PATCH] Fix potential heap overflow as asked by issue#10
https://github.com/libofx/libofx/issues/10
---
lib/ofx_preproc.cpp | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/lib/ofx_preproc.cpp b/lib/ofx_preproc.cpp
index f07f274..4dbe0aa 100644
--- a/lib/ofx_preproc.cpp
+++ b/lib/ofx_preproc.cpp
@@ -88,7 +88,6 @@ int ofx_proc_file(LibofxContextPtr ctx, const char * p_filename)
ifstream input_file;
ofstream tmp_file;
char buffer[READ_BUFFER_SIZE];
- char *iconv_buffer;
string s_buffer;
char *filenames[3];
char tmp_filename[256];
@@ -306,9 +305,9 @@ int ofx_proc_file(LibofxContextPtr ctx, const char * p_filename)
if (file_is_xml == false)
{
#ifdef HAVE_ICONV
- size_t inbytesleft = strlen(s_buffer.c_str());
+ size_t inbytesleft = s_buffer.size();
size_t outbytesleft = inbytesleft * 2 - 1;
- iconv_buffer = (char*) malloc (inbytesleft * 2);
+ char * iconv_buffer = (char*) malloc (inbytesleft * 2);
memset(iconv_buffer, 0, inbytesleft * 2);
#if defined(OS_WIN32) || defined(__sun) || defined(__NetBSD__)
const char * inchar = (const char *)s_buffer.c_str();
@@ -321,9 +320,11 @@ int ofx_proc_file(LibofxContextPtr ctx, const char * p_filename)
&outchar, &outbytesleft);
if (iconv_retval == -1)
{
- message_out(ERROR, "ofx_proc_file(): Conversion error");
+ message_out(ERROR, "ofx_proc_file(): Iconv conversion error");
}
- s_buffer = iconv_buffer;
+ // All validly converted bytes will be copied to the
+ // original buffer
+ s_buffer = std::string(iconv_buffer, outchar - iconv_buffer);
free (iconv_buffer);
#endif
}
