diff options
Diffstat (limited to 'system/cvs/CVE-2010-3846.patch')
| -rw-r--r-- | system/cvs/CVE-2010-3846.patch | 167 |
1 files changed, 0 insertions, 167 deletions
diff --git a/system/cvs/CVE-2010-3846.patch b/system/cvs/CVE-2010-3846.patch deleted file mode 100644 index e1560cef8..000000000 --- a/system/cvs/CVE-2010-3846.patch +++ /dev/null @@ -1,167 +0,0 @@ -From b122edcb68ff05bb6eb22f6e50423e7f1050841b Mon Sep 17 00:00:00 2001 -From: Larry Jones <lawrence.jones@siemens.com> -Date: Thu, 21 Oct 2010 10:08:16 +0200 -Subject: [PATCH] Fix for CVE-2010-3846 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Mallformed RCS revision (delete after the end of input file, or overlayed -deleted regions) screws output file image size computation. This leads to -write attempt after the allocated memory opening hiden memory corruption -driven by CVS server. - -Signed-off-by: Petr Písař <ppisar@redhat.com> ---- - src/rcs.c | 52 +++++++++++++++++++++++++++++----------------------- - 1 files changed, 29 insertions(+), 23 deletions(-) - -diff --git a/src/rcs.c b/src/rcs.c -index 7d0d078..2f88f85 100644 ---- a/src/rcs.c -+++ b/src/rcs.c -@@ -7128,7 +7128,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - struct deltafrag *dfhead; - struct deltafrag **dftail; - struct deltafrag *df; -- unsigned long numlines, lastmodline, offset; -+ unsigned long numlines, offset; - struct linevector lines; - int err; - -@@ -7202,12 +7202,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - - /* New temp data structure to hold new org before - copy back into original structure. */ -- lines.nlines = lines.lines_alloced = numlines; -+ lines.lines_alloced = numlines; - lines.vector = xmalloc (numlines * sizeof *lines.vector); - - /* We changed the list order to first to last -- so the - list never gets larger than the size numlines. */ -- lastmodline = 0; -+ lines.nlines = 0; - - /* offset created when adding/removing lines - between new and original structure */ -@@ -7216,25 +7216,24 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - for (df = dfhead; df != NULL; ) - { - unsigned int ln; -- unsigned long deltaend; -+ unsigned long newpos = df->pos - offset; - -- if (df->pos > orig_lines->nlines) -+ if (newpos < lines.nlines || newpos > numlines) - err = 1; - - /* On error, just free the rest of the list. */ - if (!err) - { -- /* Here we need to get to the line where the next insert will -+ /* Here we need to get to the line where the next change will - begin, which is DF->pos in ORIG_LINES. We will fill up to - DF->pos - OFFSET in LINES with original items. */ -- for (deltaend = df->pos - offset; -- lastmodline < deltaend; -- lastmodline++) -+ while (lines.nlines < newpos) - { - /* we need to copy from the orig structure into new one */ -- lines.vector[lastmodline] = -- orig_lines->vector[lastmodline + offset]; -- lines.vector[lastmodline]->refcount++; -+ lines.vector[lines.nlines] = -+ orig_lines->vector[lines.nlines + offset]; -+ lines.vector[lines.nlines]->refcount++; -+ lines.nlines++; - } - - switch (df->type) -@@ -7246,7 +7245,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - struct line *q; - int nextline_newline; - size_t nextline_len; -- -+ -+ if (newpos + df->nlines > numlines) -+ { -+ err = 1; -+ break; -+ } - textend = df->new_lines + df->len; - nextline_newline = 0; - nextline_text = df->new_lines; -@@ -7271,8 +7275,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - q->has_newline = nextline_newline; - q->refcount = 1; - memcpy (q->text, nextline_text, nextline_len); -- lines.vector[lastmodline++] = q; -- offset--; -+ lines.vector[lines.nlines++] = q; - - nextline_text = (char *)p + 1; - nextline_newline = 0; -@@ -7286,11 +7289,11 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - q->has_newline = nextline_newline; - q->refcount = 1; - memcpy (q->text, nextline_text, nextline_len); -- lines.vector[lastmodline++] = q; -+ lines.vector[lines.nlines++] = q; - - /* For each line we add the offset between the #'s - decreases. */ -- offset--; -+ offset -= df->nlines; - break; - } - -@@ -7301,7 +7304,9 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - if (df->pos + df->nlines > orig_lines->nlines) - err = 1; - else if (delvers) -+ { - for (ln = df->pos; ln < df->pos + df->nlines; ++ln) -+ { - if (orig_lines->vector[ln]->refcount > 1) - /* Annotate needs this but, since the original - * vector is disposed of before returning from -@@ -7309,6 +7314,8 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - * there are multiple references. - */ - orig_lines->vector[ln]->vers = delvers; -+ } -+ } - break; - } - } -@@ -7328,21 +7335,20 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - else - { - /* add the rest of the remaining lines to the data vector */ -- for (; lastmodline < numlines; lastmodline++) -+ while (lines.nlines < numlines) - { - /* we need to copy from the orig structure into new one */ -- lines.vector[lastmodline] = orig_lines->vector[lastmodline -+ lines.vector[lines.nlines] = orig_lines->vector[lines.nlines - + offset]; -- lines.vector[lastmodline]->refcount++; -+ lines.vector[lines.nlines]->refcount++; -+ lines.nlines++; - } - - /* Move the lines vector to the original structure for output, - * first deleting the old. - */ - linevector_free (orig_lines); -- orig_lines->vector = lines.vector; -- orig_lines->lines_alloced = numlines; -- orig_lines->nlines = lines.nlines; -+ *orig_lines = lines; - } - - return !err; --- -1.7.2.3 - |