21b3b75515
* gnu/packages/patches/glib-CVE-2021-27218.patch, gnu/packages/patches/glib-CVE-2021-27219-01.patch, gnu/packages/patches/glib-CVE-2021-27219-02.patch, gnu/packages/patches/glib-CVE-2021-27219-03.patch, gnu/packages/patches/glib-CVE-2021-27219-04.patch, gnu/packages/patches/glib-CVE-2021-27219-05.patch, gnu/packages/patches/glib-CVE-2021-27219-06.patch, gnu/packages/patches/glib-CVE-2021-27219-07.patch, gnu/packages/patches/glib-CVE-2021-27219-08.patch, gnu/packages/patches/glib-CVE-2021-27219-09.patch, gnu/packages/patches/glib-CVE-2021-27219-10.patch, gnu/packages/patches/glib-CVE-2021-27219-11.patch, gnu/packages/patches/glib-CVE-2021-27219-12.patch, gnu/packages/patches/glib-CVE-2021-27219-13.patch, gnu/packages/patches/glib-CVE-2021-27219-14.patch, gnu/packages/patches/glib-CVE-2021-27219-15.patch, gnu/packages/patches/glib-CVE-2021-27219-16.patch, gnu/packages/patches/glib-CVE-2021-27219-17.patch, gnu/packages/patches/glib-CVE-2021-27219-18.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/glib.scm (glib)[replacement]: New field. (glib/fixed): New variable.
47 lines
2.3 KiB
Diff
47 lines
2.3 KiB
Diff
From 0cbad673215ec8a049b7fe2ff44b0beed31b376e Mon Sep 17 00:00:00 2001
|
|
From: Philip Withnall <pwithnall@endlessos.org>
|
|
Date: Thu, 4 Feb 2021 16:12:24 +0000
|
|
Subject: [PATCH 05/11] gwinhttpfile: Avoid arithmetic overflow when
|
|
calculating a size
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
The members of `URL_COMPONENTS` (`winhttp_file->url`) are `DWORD`s, i.e.
|
|
32-bit unsigned integers. Adding to and multiplying them may cause them
|
|
to overflow the unsigned integer bounds, even if the result is passed to
|
|
`g_memdup2()` which accepts a `gsize`.
|
|
|
|
Cast the `URL_COMPONENTS` members to `gsize` first to ensure that the
|
|
arithmetic is done in terms of `gsize`s rather than unsigned integers.
|
|
|
|
Spotted by Sebastian Dröge.
|
|
|
|
Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
|
|
Helps: #2319
|
|
---
|
|
gio/win32/gwinhttpfile.c | 8 ++++----
|
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/gio/win32/gwinhttpfile.c b/gio/win32/gwinhttpfile.c
|
|
index 040ee8564..246ec0578 100644
|
|
--- a/gio/win32/gwinhttpfile.c
|
|
+++ b/gio/win32/gwinhttpfile.c
|
|
@@ -394,10 +394,10 @@ g_winhttp_file_resolve_relative_path (GFile *file,
|
|
child = g_object_new (G_TYPE_WINHTTP_FILE, NULL);
|
|
child->vfs = winhttp_file->vfs;
|
|
child->url = winhttp_file->url;
|
|
- child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2);
|
|
- child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2);
|
|
- child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2);
|
|
- child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2);
|
|
+ child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, ((gsize) winhttp_file->url.dwSchemeLength + 1) * 2);
|
|
+ child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, ((gsize) winhttp_file->url.dwHostNameLength + 1) * 2);
|
|
+ child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, ((gsize) winhttp_file->url.dwUserNameLength + 1) * 2);
|
|
+ child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, ((gsize) winhttp_file->url.dwPasswordLength + 1) * 2);
|
|
child->url.lpszUrlPath = wnew_path;
|
|
child->url.dwUrlPathLength = wcslen (wnew_path);
|
|
child->url.lpszExtraInfo = NULL;
|
|
--
|
|
2.30.1
|
|
|