diff options
Diffstat (limited to 'extra/cvsps/cvsps-buffer-overflow.patch')
| -rw-r--r-- | extra/cvsps/cvsps-buffer-overflow.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/extra/cvsps/cvsps-buffer-overflow.patch b/extra/cvsps/cvsps-buffer-overflow.patch new file mode 100644 index 000000000..e34fd6ee3 --- /dev/null +++ b/extra/cvsps/cvsps-buffer-overflow.patch @@ -0,0 +1,66 @@ +diff -Naur cvsps-3.2.orig/cvsps.c cvsps-3.2/cvsps.c +--- cvsps-3.2.orig/cvsps.c 2012-12-24 19:23:24.000000000 +0000 ++++ cvsps-3.2/cvsps.c 2012-12-27 03:28:24.698076155 +0000 +@@ -1078,17 +1078,16 @@ + static CvsFile * parse_rcs_file(const char * buff) + { + char fn[PATH_MAX]; +- int len = strlen(buff + 10); ++ size_t len = strlen(buff + 10); + char * p; + + /* once a single file has been parsed ok we set this */ + static bool path_ok; +- ++ + /* chop the ",v" string and the "LF" */ + len -= 3; + memcpy(fn, buff + 10, len); + fn[len] = 0; +- + if (strncmp(fn, strip_path, strip_path_len) != 0) + { + /* if the very first file fails the strip path, +@@ -1109,10 +1108,10 @@ + + while ((p = strstr(p, repository_path))) + lastp = p++; +- ++ + if (lastp) + { +- int len = strlen(repository_path); ++ size_t len = strlen(repository_path); + memcpy(strip_path, fn, lastp - fn + len + 1); + strip_path_len = lastp - fn + len + 1; + strip_path[strip_path_len] = 0; +@@ -1136,16 +1135,26 @@ + * + * For now just ignore such files + */ +- debug(DEBUG_APPWARN, "WARNING: file %s doesn't match strip_path %s. ignoring", ++ debug(DEBUG_APPWARN, "WARNING: file %s doesn't match strip_path %s. ignoring", + fn, strip_path); + return NULL; + } + + ok: +- path_ok = true; +- ++ /* ++ fix for rhbz#576076 ++ ./cvsps --norc -q --cvs-direct -u -A --root :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot NSS ++ */ ++ if(len <= strip_path_len) ++ { ++ debug(DEBUG_APPWARN, "WARNING: file %s doesn't match strip_path %s. ignoring", ++ fn, strip_path); ++ return NULL; ++ } + /* remove from beginning the 'strip_path' string */ + len -= strip_path_len; ++ path_ok = true; ++ + memmove(fn, fn + strip_path_len, len); + fn[len] = 0; + |