summaryrefslogtreecommitdiff
path: root/user/libproxy/CVE-2020-26154.patch
diff options
context:
space:
mode:
Diffstat (limited to 'user/libproxy/CVE-2020-26154.patch')
-rw-r--r--user/libproxy/CVE-2020-26154.patch93
1 files changed, 0 insertions, 93 deletions
diff --git a/user/libproxy/CVE-2020-26154.patch b/user/libproxy/CVE-2020-26154.patch
deleted file mode 100644
index 929083327..000000000
--- a/user/libproxy/CVE-2020-26154.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001
-From: Fei Li <lifeibiren@gmail.com>
-Date: Fri, 17 Jul 2020 02:18:37 +0800
-Subject: [PATCH] Fix buffer overflow when PAC is enabled
-
-The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned
-out to be the large PAC file (more than 102400 bytes) returned by a
-local proxy program with no content-length present.
----
- libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++-------------
- 1 file changed, 31 insertions(+), 13 deletions(-)
-
-diff --git a/libproxy/url.cpp b/libproxy/url.cpp
-index ee776b2..8684086 100644
---- a/libproxy/url.cpp
-+++ b/libproxy/url.cpp
-@@ -54,7 +54,7 @@ using namespace std;
- #define PAC_MIME_TYPE_FB "text/plain"
-
- // This is the maximum pac size (to avoid memory attacks)
--#define PAC_MAX_SIZE 102400
-+#define PAC_MAX_SIZE 0x800000
- // This is the default block size to use when receiving via HTTP
- #define PAC_HTTP_BLOCK_SIZE 512
-
-@@ -478,15 +478,13 @@ char* url::get_pac() {
- }
-
- // Get content
-- unsigned int recvd = 0;
-- buffer = new char[PAC_MAX_SIZE];
-- memset(buffer, 0, PAC_MAX_SIZE);
-+ std::vector<char> dynamic_buffer;
- do {
- unsigned int chunk_length;
-
- if (chunked) {
- // Discard the empty line if we received a previous chunk
-- if (recvd > 0) recvline(sock);
-+ if (!dynamic_buffer.empty()) recvline(sock);
-
- // Get the chunk-length line as an integer
- if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break;
-@@ -498,21 +496,41 @@ char* url::get_pac() {
-
- if (content_length >= PAC_MAX_SIZE) break;
-
-- while (content_length == 0 || recvd != content_length) {
-- int r = recv(sock, buffer + recvd,
-- content_length == 0 ? PAC_HTTP_BLOCK_SIZE
-- : content_length - recvd, 0);
-+ while (content_length == 0 || dynamic_buffer.size() != content_length) {
-+ // Calculate length to recv
-+ unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE;
-+ if (content_length > 0)
-+ length_to_read = content_length - dynamic_buffer.size();
-+
-+ // Prepare buffer
-+ dynamic_buffer.resize(dynamic_buffer.size() + length_to_read);
-+
-+ int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0);
-+
-+ // Shrink buffer to fit
-+ if (r >= 0)
-+ dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r);
-+
-+ // PAC size too large, discard
-+ if (dynamic_buffer.size() >= PAC_MAX_SIZE) {
-+ chunked = false;
-+ dynamic_buffer.clear();
-+ break;
-+ }
-+
- if (r <= 0) {
- chunked = false;
- break;
- }
-- recvd += r;
- }
- } while (chunked);
-
-- if (content_length != 0 && string(buffer).size() != content_length) {
-- delete[] buffer;
-- buffer = NULL;
-+ if (content_length == 0 || content_length == dynamic_buffer.size()) {
-+ buffer = new char[dynamic_buffer.size() + 1];
-+ if (!dynamic_buffer.empty()) {
-+ memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size());
-+ }
-+ buffer[dynamic_buffer.size()] = '\0';
- }
- }
-