[Pkg-dspam-commits] [dspam] 01/04: Enhance patch to fix segfault with malformed css file
Thomas Preud'homme
robotux at alioth.debian.org
Tue Oct 15 15:59:19 UTC 2013
This is an automated email from the git hooks/post-receive script.
robotux pushed a commit to branch master
in repository dspam.
commit a8103b41af698ecbcabdafe4969fe9fc9b3b3634
Author: Thomas Preud'homme <robotux at celest.fr>
Date: Wed Sep 25 13:24:01 2013 +0200
Enhance patch to fix segfault with malformed css file
---
debian/changelog | 7 +++
...2_cssclean_dont_read_past_end_of_css_files.diff | 30 ----------
.../012_dont_read_past_end_of_css_files.diff | 61 ++++++++++++++++++++
debian/patches/series | 2 +-
4 files changed, 69 insertions(+), 31 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 4de64f6..99d2a11 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+dspam (3.10.2+dfsg-10) UNRELEASED; urgency=low
+
+ * debian/patches:
+ + Improve handling of malformed css file (Closes: #722484).
+
+ -- Thomas Preud'homme <robotux at debian.org> Wed, 25 Sep 2013 13:25:02 +0200
+
dspam (3.10.2+dfsg-9) unstable; urgency=low
* Add patch 011_define_WCONTINUED_and_WIFCONTINUED_if_not_defined.diff to
diff --git a/debian/patches/012_cssclean_dont_read_past_end_of_css_files.diff b/debian/patches/012_cssclean_dont_read_past_end_of_css_files.diff
deleted file mode 100644
index 80b617b..0000000
--- a/debian/patches/012_cssclean_dont_read_past_end_of_css_files.diff
+++ /dev/null
@@ -1,30 +0,0 @@
-From: Thomas Preud'homme <robotux at celest.fr>
-Subject: cssclean: don't read past the end of css files
-
-Currently, cssclean assumes css files are well formed. For each header
-encountered, it thus iterates over all the records the header claims to
-be present. However, if the header is corrupted, cssclean will read past
-the end of the css file being cleaned. This patch adds a safeguard
-against such a situation.
-
-Origin: vendor
-Bug: https://sourceforge.net/p/dspam/bug-tracker/170/
-Bug-Debian: http://bugs.debian.org/722057
-Last-Update: 2013-09-10
----
- src/tools.hash_drv/cssclean.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tools.hash_drv/cssclean.c b/src/tools.hash_drv/cssclean.c
-index b3f6264..6889cda 100644
---- a/src/tools.hash_drv/cssclean.c
-+++ b/src/tools.hash_drv/cssclean.c
-@@ -189,7 +189,7 @@ int cssclean(const char *filename, int heavy) {
- filepos = sizeof(struct _hash_drv_header);
- header = old.addr;
- while(filepos < old.file_len) {
-- for(i=0;i<header->hash_rec_max;i++) {
-+ for(i=0;i<header->hash_rec_max && filepos+sizeof(*rec)-1<=old.file_len;i++) {
- rec = (void *)((unsigned long) old.addr + filepos);
-
- nonspam = rec->nonspam & 0x0fffffff;
diff --git a/debian/patches/012_dont_read_past_end_of_css_files.diff b/debian/patches/012_dont_read_past_end_of_css_files.diff
new file mode 100644
index 0000000..5519d7a
--- /dev/null
+++ b/debian/patches/012_dont_read_past_end_of_css_files.diff
@@ -0,0 +1,61 @@
+From: Thomas Preud'homme <robotux at celest.fr>
+Subject: don't read past the end of css files
+
+Currently, dspam's code assumes css files are well formed. It will thus
+check wether a record exist or not by comparing its position against
+the maximum number of records stored in the header. In the case of a
+corrupted header, that check could return true and the code access data
+beyond the end of the file, leading to a segmentation fault. This patch
+fixes two occurences of this assumption in cssclean and the hash driver.
+
+Origin: vendor
+Bug: https://sourceforge.net/p/dspam/bug-tracker/170/
+Bug-Debian: http://bugs.debian.org/722057
+Last-Update: 2013-09-25
+---
+ src/tools.hash_drv/cssclean.c | 2 +-
+ src/hash_drv.c | 10 +++++++---
+ 2 file changed, 8 insertion(+), 4 deletion(-)
+
+diff --git a/src/tools.hash_drv/cssclean.c b/src/tools.hash_drv/cssclean.c
+index b3f6264..6889cda 100644
+--- a/src/tools.hash_drv/cssclean.c
++++ b/src/tools.hash_drv/cssclean.c
+@@ -189,7 +189,7 @@ int cssclean(const char *filename, int heavy) {
+ filepos = sizeof(struct _hash_drv_header);
+ header = old.addr;
+ while(filepos < old.file_len) {
+- for(i=0;i<header->hash_rec_max;i++) {
++ for(i=0;i<header->hash_rec_max && filepos+sizeof(*rec)-1<=old.file_len;i++) {
+ rec = (void *)((unsigned long) old.addr + filepos);
+
+ nonspam = rec->nonspam & 0x0fffffff;
+
+diff --git a/src/hash_drv.c b/src/hash_drv.c
+index 349b491..daae2e7 100644
+--- a/src/hash_drv.c
++++ b/src/hash_drv.c
+@@ -1194,9 +1194,10 @@ unsigned long _hash_drv_seek(
+ ((hashcode % header->hash_rec_max) * sizeof(struct _hash_drv_spam_record));
+
+ rec = (void *)((unsigned long) map->addr + offset + fpos);
+- while(rec->hashcode != hashcode && /* Match token */
+- rec->hashcode != 0 && /* Insert on empty */
+- iterations < map->max_seek) /* Max Iterations */
++ while(rec + sizeof(*rec) <= map->file_len && /* not end of file */
++ rec->hashcode != hashcode && /* Match token */
++ rec->hashcode != 0 && /* Insert on empty */
++ iterations < map->max_seek) /* Max Iterations */
+ {
+ iterations++;
+ fpos += sizeof(struct _hash_drv_spam_record);
+@@ -1206,6 +1207,9 @@ unsigned long _hash_drv_seek(
+ rec = (void *)((unsigned long) map->addr + offset + fpos);
+ }
+
++ if (rec + sizeof(*rec) > map->file_len)
++ return 0;
++
+ if (rec->hashcode == hashcode)
+ return fpos;
+
diff --git a/debian/patches/series b/debian/patches/series
index 9da546e..dfd7200 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,4 +8,4 @@
009_fix_recipient_corruption_when_releasing_message_from_quarantine.diff
010_set_legacy_escape_strings.diff
011_define_WCONTINUED_and_WIFCONTINUED_if_not_defined.diff
-012_cssclean_dont_read_past_end_of_css_files.diff
+012_dont_read_past_end_of_css_files.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-dspam/dspam.git
More information about the Pkg-dspam-commits
mailing list