[libmusicbrainz-discid-perl] 01/04: really stop overrunning offsets[] when filling it

Damyan Ivanov dmn at moszumanska.debian.org
Tue Aug 19 18:19:53 UTC 2014 

This is an automated email from the git hooks/post-receive script.

dmn pushed a commit to branch master
in repository libmusicbrainz-discid-perl.

commit e26e022d611c7661bc24ace04ece77337c23b9cb
Author: Damyan Ivanov <dmn at debian.org>
Date:   Tue Aug 19 18:11:26 2014 +0000

    really stop overrunning offsets[] when filling it
---
 debian/patches/stack-corruption-discid_put.patch | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/debian/patches/stack-corruption-discid_put.patch b/debian/patches/stack-corruption-discid_put.patch
index fe0b1ff..084fa03 100644
--- a/debian/patches/stack-corruption-discid_put.patch
+++ b/debian/patches/stack-corruption-discid_put.patch
@@ -2,18 +2,21 @@ Description: stack corruption in discid_put
  This patch fixes two ways to corrupt the stack. One is by supplying
  more that 99 offset arguments. The offsets array is declared with space
  for 100 elements, but the first is reserved for the sectors argument.
+ The patch addresses this by limitting the filling of offsets[] to 99 elements
+ (plus the sectors argument which is in offsets[0]). It relies on libdiscid
+ to return false if the request was for more than 99 offsets.
  .
  The second stack corruption is because of a typo in the initialization
  for loop. Because of that, the for loop is essentially reduced to
  "i=100" and the following line (not part of the loop) sets
  offsets[100], which is beyond the allocated space for the array. Using
- memset should be safer and possibly faster.
+ memset is safer and probably faster.
 Author: Damyan Ivanov <dmn at debian.org>
 Bug-Debian: https://bugs.debian.org/758216
 
 --- a/lib/MusicBrainz/DiscID.xs
 +++ b/lib/MusicBrainz/DiscID.xs
-@@ -124,11 +124,12 @@ discid_put( disc, first_track, sectors,
+@@ -124,12 +124,13 @@ discid_put( disc, first_track, sectors,
    DiscId *disc
    int first_track
    int sectors
@@ -23,8 +26,10 @@ Bug-Debian: https://bugs.debian.org/758216
    CODE:
 -	  for (i=0;i<100;i++);
 -	      offsets[i] = 0;
-+    if (items > 102 ) n_items = 102;  // rely on discid_put to return error
+-    for (i=3; i<items; i++) {
 +    memset(offsets, 0, sizeof(offsets));
-     for (i=3; i<items; i++) {
++    if (items > 102 ) n_items = 102;  // rely on discid_put to return error
++    for (i=3; i<n_items; i++) {
          offsets[i-2] = (int)SvIV(ST(i));
      }
+     offsets[0] = sectors;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmusicbrainz-discid-perl.git

More information about the Pkg-perl-cvs-commits mailing list