[maemo-commits] [maemo-commits] r17656 - in projects/haf/trunk/glib: . glib
From: subversion at stage.maemo.org subversion at stage.maemo.orgDate: Thu Mar 12 17:28:18 EET 2009
- Previous message: [maemo-commits] r17654 - projects/haf/tags/libmatchbox2
- Next message: [maemo-commits] r17657 - projects/haf/trunk/hildon-welcome/src
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Author: mitch Date: 2009-03-12 17:28:14 +0200 (Thu, 12 Mar 2009) New Revision: 17656 Modified: projects/haf/trunk/glib/ChangeLog projects/haf/trunk/glib/glib/gbase64.c Log: 2009-03-12 Michael Natterer <mitch at imendio.com> Merged from upstream: * glib/gbase64.c: Avoid integer overflows in the base64 functions. Fixes CVE-2008-4316 Modified: projects/haf/trunk/glib/ChangeLog =================================================================== --- projects/haf/trunk/glib/ChangeLog 2009-03-12 13:40:55 UTC (rev 17655) +++ projects/haf/trunk/glib/ChangeLog 2009-03-12 15:28:14 UTC (rev 17656) @@ -1,3 +1,10 @@ +2009-03-12 Michael Natterer <mitch at imendio.com> + + Merged from upstream: + + * glib/gbase64.c: Avoid integer overflows in the base64 + functions. Fixes CVE-2008-4316 + 2008-12-02 17:23:20 Tim Janik <timj at imendio.com> * configure.in: provide flags needed for ARM backtraces for ARM CPUs only. Modified: projects/haf/trunk/glib/glib/gbase64.c =================================================================== --- projects/haf/trunk/glib/glib/gbase64.c 2009-03-12 13:40:55 UTC (rev 17655) +++ projects/haf/trunk/glib/glib/gbase64.c 2009-03-12 15:28:14 UTC (rev 17656) @@ -54,8 +54,9 @@ * * The output buffer must be large enough to fit all the data that will * be written to it. Due to the way base64 encodes you will need - * at least: @len * 4 / 3 + 6 bytes. If you enable line-breaking you will - * need at least: @len * 4 / 3 + @len * 4 / (3 * 72) + 7 bytes. + * at least: (@len / 3 + 1) * 4 + 4 bytes (+ 4 may be needed in case of + * non-zero state). If you enable line-breaking you will need at least: + * ((@len / 3 + 1) * 4 + 4) / 72 + 1 bytes of extra space. * * @break_lines is typically used when putting base64-encoded data in emails. * It breaks the lines at 72 columns instead of putting all of the text on @@ -233,8 +234,14 @@ g_return_val_if_fail (data != NULL, NULL); g_return_val_if_fail (len > 0, NULL); - /* We can use a smaller limit here, since we know the saved state is 0 */ - out = g_malloc (len * 4 / 3 + 4); + /* We can use a smaller limit here, since we know the saved state is 0, + +1 is needed for trailing \0, also check for unlikely integer overflow */ + if (len >= ((G_MAXSIZE - 1) / 4 - 1) * 3) + g_error("%s: input too large for Base64 encoding (%"G_GSIZE_FORMAT" chars)", + G_STRLOC, len); + + out = g_malloc ((len / 3 + 1) * 4 + 1); + outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save); outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save); out[outlen] = '\0'; @@ -275,7 +282,8 @@ * * The output buffer must be large enough to fit all the data that will * be written to it. Since base64 encodes 3 bytes in 4 chars you need - * at least: @len * 3 / 4 bytes. + * at least: (@len / 4) * 3 + 3 bytes (+ 3 may be needed in case of non-zero + * state). * * Return value: The number of bytes of output that was written * @@ -358,7 +366,8 @@ gsize *out_len) { guchar *ret; - gint input_length, state = 0; + gsize input_length; + gint state = 0; guint save = 0; g_return_val_if_fail (text != NULL, NULL); @@ -368,7 +377,9 @@ g_return_val_if_fail (input_length > 1, NULL); - ret = g_malloc0 (input_length * 3 / 4); + /* We can use a smaller limit here, since we know the saved state is 0, + +1 used to avoid calling g_malloc0(0), and hence retruning NULL */ + ret = g_malloc0 ((input_length / 4) * 3 + 1); *out_len = g_base64_decode_step (text, input_length, ret, &state, &save);
- Previous message: [maemo-commits] r17654 - projects/haf/tags/libmatchbox2
- Next message: [maemo-commits] r17657 - projects/haf/trunk/hildon-welcome/src
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]