diff options
author | Zach van Rijn <me@zv.io> | 2022-01-14 04:38:01 +0000 |
---|---|---|
committer | Zach van Rijn <me@zv.io> | 2022-10-21 18:33:57 -0500 |
commit | 13c05c4fcba68506963e3fd739dd1a388fbc45a2 (patch) | |
tree | 8c195210982c9f865e6230500b5394329ba38d66 /user/libproxy/CVE-2020-26154.patch | |
parent | 4a44f20744b33efe6e4cc72bdc08fcdbedae779b (diff) | |
download | packages-13c05c4fcba68506963e3fd739dd1a388fbc45a2.tar.gz packages-13c05c4fcba68506963e3fd739dd1a388fbc45a2.tar.bz2 packages-13c05c4fcba68506963e3fd739dd1a388fbc45a2.tar.xz packages-13c05c4fcba68506963e3fd739dd1a388fbc45a2.zip |
user/libproxy: bump { 0.4.15 --> 0.4.17 }, fix build with Python 3.10
Diffstat (limited to 'user/libproxy/CVE-2020-26154.patch')
-rw-r--r-- | user/libproxy/CVE-2020-26154.patch | 93 |
1 files changed, 0 insertions, 93 deletions
diff --git a/user/libproxy/CVE-2020-26154.patch b/user/libproxy/CVE-2020-26154.patch deleted file mode 100644 index 929083327..000000000 --- a/user/libproxy/CVE-2020-26154.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001 -From: Fei Li <lifeibiren@gmail.com> -Date: Fri, 17 Jul 2020 02:18:37 +0800 -Subject: [PATCH] Fix buffer overflow when PAC is enabled - -The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned -out to be the large PAC file (more than 102400 bytes) returned by a -local proxy program with no content-length present. ---- - libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++------------- - 1 file changed, 31 insertions(+), 13 deletions(-) - -diff --git a/libproxy/url.cpp b/libproxy/url.cpp -index ee776b2..8684086 100644 ---- a/libproxy/url.cpp -+++ b/libproxy/url.cpp -@@ -54,7 +54,7 @@ using namespace std; - #define PAC_MIME_TYPE_FB "text/plain" - - // This is the maximum pac size (to avoid memory attacks) --#define PAC_MAX_SIZE 102400 -+#define PAC_MAX_SIZE 0x800000 - // This is the default block size to use when receiving via HTTP - #define PAC_HTTP_BLOCK_SIZE 512 - -@@ -478,15 +478,13 @@ char* url::get_pac() { - } - - // Get content -- unsigned int recvd = 0; -- buffer = new char[PAC_MAX_SIZE]; -- memset(buffer, 0, PAC_MAX_SIZE); -+ std::vector<char> dynamic_buffer; - do { - unsigned int chunk_length; - - if (chunked) { - // Discard the empty line if we received a previous chunk -- if (recvd > 0) recvline(sock); -+ if (!dynamic_buffer.empty()) recvline(sock); - - // Get the chunk-length line as an integer - if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break; -@@ -498,21 +496,41 @@ char* url::get_pac() { - - if (content_length >= PAC_MAX_SIZE) break; - -- while (content_length == 0 || recvd != content_length) { -- int r = recv(sock, buffer + recvd, -- content_length == 0 ? PAC_HTTP_BLOCK_SIZE -- : content_length - recvd, 0); -+ while (content_length == 0 || dynamic_buffer.size() != content_length) { -+ // Calculate length to recv -+ unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE; -+ if (content_length > 0) -+ length_to_read = content_length - dynamic_buffer.size(); -+ -+ // Prepare buffer -+ dynamic_buffer.resize(dynamic_buffer.size() + length_to_read); -+ -+ int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0); -+ -+ // Shrink buffer to fit -+ if (r >= 0) -+ dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r); -+ -+ // PAC size too large, discard -+ if (dynamic_buffer.size() >= PAC_MAX_SIZE) { -+ chunked = false; -+ dynamic_buffer.clear(); -+ break; -+ } -+ - if (r <= 0) { - chunked = false; - break; - } -- recvd += r; - } - } while (chunked); - -- if (content_length != 0 && string(buffer).size() != content_length) { -- delete[] buffer; -- buffer = NULL; -+ if (content_length == 0 || content_length == dynamic_buffer.size()) { -+ buffer = new char[dynamic_buffer.size() + 1]; -+ if (!dynamic_buffer.empty()) { -+ memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size()); -+ } -+ buffer[dynamic_buffer.size()] = '\0'; - } - } - |