1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
Backport upstream patch to fix CVE-2018-12911.
Upstream-Status: Backport [https://trac.webkit.org/changeset/233404/webkit]
CVE: CVE-2018-12911
Signed-off-by: Kai Kang <kai.kang@windriver.com>
From 6a3897a790ff38184aca8032abcd89e8339fdcef Mon Sep 17 00:00:00 2001
From: "mcatanzaro@igalia.com"
<mcatanzaro@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sun, 1 Jul 2018 01:15:38 +0000
Subject: [PATCH] Fix off-by-one error in xdg_mime_get_simple_globs
https://bugs.webkit.org/show_bug.cgi?id=186554
Reviewed by Daniel Bates.
We have an off-by-one error here in some code that was added for WebKit. (This is not an
issue with upstream xdgmime.)
No new tests. This problem is caught by TestDownloads, but only when running with ASan
enabled.
* xdgmime/src/xdgmimecache.c:
(get_simple_globs):
* xdgmime/src/xdgmimeglob.c:
(get_simple_globs):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@233404 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
Source/ThirdParty/xdgmime/src/xdgmimecache.c | 5 ++++-
Source/ThirdParty/xdgmime/src/xdgmimeglob.c | 5 ++++-
3 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/Source/ThirdParty/xdgmime/src/xdgmimecache.c b/Source/ThirdParty/xdgmime/src/xdgmimecache.c
index 9600b9019e2..bdc1973b872 100644
--- a/Source/ThirdParty/xdgmime/src/xdgmimecache.c
+++ b/Source/ThirdParty/xdgmime/src/xdgmimecache.c
@@ -1047,6 +1047,9 @@ get_simple_globs (XdgMimeCache *cache,
xdg_uint32_t child_offset;
int i;
+ assert (*n >= 0);
+ assert (depth >= 0);
+
if (*n >= n_globs)
return FALSE;
@@ -1055,7 +1058,7 @@ get_simple_globs (XdgMimeCache *cache,
xdg_uint32_t mime_offset = GET_UINT32 (cache->buffer, offset + 4);
if (strcasecmp (cache->buffer + mime_offset, mime) == 0) {
- globs[*n] = malloc (depth * sizeof (char));
+ globs[*n] = malloc ((depth + 1) * sizeof (char));
for (i = 0; i < depth; i++)
globs[*n][depth - i - 1] = prefix[i];
globs[*n][depth] = '\0';
diff --git a/Source/ThirdParty/xdgmime/src/xdgmimeglob.c b/Source/ThirdParty/xdgmime/src/xdgmimeglob.c
index 6fd90fc2fa3..ebe3a0de00c 100644
--- a/Source/ThirdParty/xdgmime/src/xdgmimeglob.c
+++ b/Source/ThirdParty/xdgmime/src/xdgmimeglob.c
@@ -484,6 +484,9 @@ get_simple_globs (XdgGlobHashNode *glob_hash_node,
xdg_unichar_t *prefix,
int depth)
{
+ assert (*n >= 0);
+ assert (depth >= 0);
+
if (*n >= n_globs)
return FALSE;
@@ -495,7 +498,7 @@ get_simple_globs (XdgGlobHashNode *glob_hash_node,
{
int i;
- globs[*n] = malloc (depth * sizeof (char));
+ globs[*n] = malloc ((depth + 1) * sizeof (char));
for (i = 0; i < depth; i++)
globs[*n][depth - i - 1] = prefix[i];
globs[*n][depth] = '\0';
--
2.17.0
|
