Google Git
Sign in
cos / mirrors / cros / chromiumos / overlays / portage-stable / refs/heads/release-R52-8350.B / . / net-libs / gnutls / files / gnutls-2.12.23-CVE-2014-3469.patch
blob: a99b433b3c92e173db6d053ffce5c25dd6a7af4c [file] [log] [blame]
From 7f5a6256231e278aa7d00b6851c22fb457537262 Mon Sep 17 00:00:00 2001
From: mancha <mancha1@zoho.com>
Date: Sun, 1 Jun 2014
Subject: CVE-2014-3469
This is a backport adaptation for use with GnuTLS 2.12.23.
Relevant upstream commit(s):
-------------------------
http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=a8b3e14f84174e
http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=3d6a02f19ff15a
http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=53958290ab731c
---
lib/minitasn1/decoding.c | 11 ++++++++---
lib/minitasn1/element.c | 27 ++++++++++++++++++---------
2 files changed, 26 insertions(+), 12 deletions(-)
--- a/lib/minitasn1/decoding.c
+++ b/lib/minitasn1/decoding.c
@@ -231,7 +231,6 @@ asn1_get_octet_der (const unsigned char
if (der_len <= 0)
return ASN1_GENERIC_ERROR;
- /* if(str==NULL) return ASN1_SUCCESS; */
*str_len = asn1_get_length_der (der, der_len, &len_len);
if (*str_len < 0)
@@ -239,7 +238,10 @@ asn1_get_octet_der (const unsigned char
*ret_len = *str_len + len_len;
if (str_size >= *str_len)
- memcpy (str, der + len_len, *str_len);
+ {
+ if (*str_len > 0 && str != NULL)
+ memcpy (str, der + len_len, *str_len);
+ }
else
{
return ASN1_MEM_ERROR;
@@ -362,7 +364,10 @@ asn1_get_bit_der (const unsigned char *d
return ASN1_DER_ERROR;
if (str_size >= len_byte)
- memcpy (str, der + len_len + 1, len_byte);
+ {
+ if (len_byte > 0 && str)
+ memcpy (str, der + len_len + 1, len_byte);
+ }
else
{
return ASN1_MEM_ERROR;
--- a/lib/minitasn1/element.c
+++ b/lib/minitasn1/element.c
@@ -112,8 +112,11 @@ _asn1_convert_integer (const unsigned ch
/* VALUE_OUT is too short to contain the value conversion */
return ASN1_MEM_ERROR;
- for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++)
- value_out[k2 - k] = val[k2];
+ if (value_out != NULL)
+ {
+ for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++)
+ value_out[k2 - k] = val[k2];
+ }
#if 0
printf ("_asn1_convert_integer: valueIn=%s, lenOut=%d", value, *len);
@@ -611,7 +614,8 @@ asn1_write_value (asn1_node node_root, c
if (ptr_size < data_size) { \
return ASN1_MEM_ERROR; \
} else { \
- memcpy( ptr, data, data_size); \
+ if (ptr && data_size > 0) \
+ memcpy( ptr, data, data_size); \
}
#define PUT_STR_VALUE( ptr, ptr_size, data) \
@@ -620,16 +624,19 @@ asn1_write_value (asn1_node node_root, c
return ASN1_MEM_ERROR; \
} else { \
/* this strcpy is checked */ \
- _asn1_strcpy(ptr, data); \
+ if (ptr) { \
+ _asn1_strcpy(ptr, data); \
+ } \
}
#define ADD_STR_VALUE( ptr, ptr_size, data) \
- *len = (int) _asn1_strlen(data) + 1; \
- if (ptr_size < (int) _asn1_strlen(ptr)+(*len)) { \
+ *len += _asn1_strlen(data); \
+ if (ptr_size < (int) *len) { \
+ (*len)++; \
return ASN1_MEM_ERROR; \
} else { \
/* this strcat is checked */ \
- _asn1_strcat(ptr, data); \
+ if (ptr) _asn1_strcat (ptr, data); \
}
/**
@@ -786,7 +793,9 @@ asn1_read_value (asn1_node root, const c
case TYPE_OBJECT_ID:
if (node->type & CONST_ASSIGN)
{
- value[0] = 0;
+ *len = 0;
+ if (value)
+ value[0] = 0;
p = node->down;
while (p)
{
@@ -800,7 +809,7 @@ asn1_read_value (asn1_node root, const c
}
p = p->right;
}
- *len = _asn1_strlen (value) + 1;
+ (*len)++;
}
else if ((node->type & CONST_DEFAULT) && (node->value == NULL))
{