Fix bspatch heap overflow vulnerability.

Obtained from: Chromium Reported by: Lu Tung-Pin Security: FreeBSD-SA-16:25.bspatch
svn path=/head/; revision=303298
2016-07-25 14:45:48 +00:00 · 2016-07-25 14:45:48 +00:00 · 2c8d04d022 · 2020-12-20 02:59:44 +00:00
commit 2c8d04d022
parent ae1b731b5d
1 changed files with 4 additions and 0 deletions
--- a/usr.bin/bsdiff/bspatch/bspatch.c
+++ b/usr.bin/bsdiff/bspatch/bspatch.c
@ -163,6 +163,10 @@ int main(int argc,char * argv[])
 			ctrl[i]=offtin(buf);
 		}

+		/* Sanity-check */
+		if ((ctrl[0] < 0) || (ctrl[1] < 0))
+			errx(1,"Corrupt patch\n");
+
 		/* Sanity-check */
 		if(newpos+ctrl[0]>newsize)
 			errx(1,"Corrupt patch\n");