File libical-timezone-use-after-free.patch of Package libical.7047

Overview Repositories Revisions Requests Users Attributes Meta

File libical-timezone-use-after-free.patch of Package libical.7047

From 6bcc779a17a2d286e4c3cb958ddf369cc01cb42c Mon Sep 17 00:00:00 2001
From: Allen Winter <allen.winter@kdab.com>
Date: Thu, 15 Dec 2016 18:17:10 -0500
Subject: [PATCH] icaltimezone.c - fix heap-use-after-free caused by
 fetch_lat_long_from_string() issue#262

Backported by Mike Gorse <mgorse@suse.com>
---
diff -urp libical-1.0.1.orig/src/libical/icaltimezone.c libical-1.0.1/src/libical/icaltimezone.c
--- libical-1.0.1.orig/src/libical/icaltimezone.c	2014-10-09 10:07:05.000000000 -0500
+++ libical-1.0.1/src/libical/icaltimezone.c	2017-06-19 16:08:11.425132052 -0500
@@ -49,6 +49,7 @@
 #include <pthread.h>
 static pthread_mutex_t builtin_mutex = PTHREAD_MUTEX_INITIALIZER;
 #endif
+#include <stddef.h> /* for ptrdiff_t */
 
 #ifdef WIN32
 #ifndef _WIN32_WCE
@@ -1639,34 +1640,34 @@ fetch_lat_long_from_string  (const char
 
 	/* We need to parse the latitude/longitude co-ordinates and location fields  */
 	sptr = (char *) str;
-	while (*sptr != '\t')
+	while (*sptr != '\t' && *sptr != '\0')
 		sptr++;
 	temp = ++sptr;
-	while (*sptr != '\t')
+	while (*sptr != '\t' && *sptr != '\0')
 		sptr++;
 	len = sptr-temp;
 	lat = (char *) malloc (len + 1);
 	lat = strncpy (lat, temp, len);
 	lat [len] = '\0';
-	while (*sptr != '\t')
+	while (*sptr != '\t' && *sptr != '\0')
 		sptr++;
 	
 	loc = ++sptr;
-	while (!isspace ((int)(*sptr)))
+	while (!isspace ((int)(*sptr)) && *sptr != '\0')
 		sptr++;
-	len = sptr - loc;
+	len = (ptrdiff_t)(sptr - loc);
 	location = strncpy (location, loc, len);
 	location [len] = '\0';
 
 #if defined(sun) && defined(__SVR4)
     /* Handle EET, MET and WET in zone_sun.tab. */
     if (!strcmp (location, "Europe/")) {
-        while (*sptr != '\t')
+        while (*sptr != '\t' && *sptr != '\0')
             sptr++;
         loc = ++sptr;
-        while (!isspace (*sptr))
+        while (!isspace (*sptr) && *sptr != '\0')
             sptr++;
-        len = sptr - loc;
+        len = (ptrdiff_t)sptr - loc);
         location = strncpy (location, loc, len);
         location [len] = '\0';
     }

Places

File libical-timezone-use-after-free.patch of Package libical.7047

Places