[debian-lts]libevent package

[Nguyen Cong]

Hi all,

I would like to send debdiff of libevent package for reviewing.

Could any one please review it and give me some comments.

Thanks and best regards
Cong

--
=====================================================================
Nguyen The Cong (Mr)
Software Engineer
Toshiba Software Development (Vietnam) Co.,Ltd
519 Kim Ma street, Ba Dinh District, Hanoi, Vietnam
tel:    +84-4-2220 8801 (Ext. 208)
e-mail: cong.nguyen...@toshiba-tsdv.com
=====================================================================

Note: This e-mail message may contain personal information or confidential 
information. If you are not the addressee of this message, please delete this 
message and kindly notify the sender as soon as possible - do not copy, use, or 
disclose this message.


diff -u libevent-1.4.13-stable/debian/changelog libevent-1.4.13-stable/debian/changelog
--- libevent-1.4.13-stable/debian/changelog
+++ libevent-1.4.13-stable/debian/changelog
@@ -1,3 +1,11 @@
+libevent (1.4.13-stable-1~deb6u1) squeeze-lts; urgency=low
+
+  * Non-maintainer upload.
+  * Fix potential heap overflow in buffer/bufferevent APIs as in CVE-2014-6272
+    Refer to upstream commit: 7b21c4eabf1f3946d3f63cce1319c490caab8ecf
+
+ -- Nguyen Cong <cong.nguyen...@toshiba-tsdv.com>  Tue, 13 Jan 2015 16:00:14 +0700
+
 libevent (1.4.13-stable-1) unstable; urgency=low
 
   * New upstream release
only in patch2:
unchanged:
--- libevent-1.4.13-stable.orig/buffer.c
+++ libevent-1.4.13-stable/buffer.c
@@ -143,7 +143,8 @@
 	va_list aq;
 
 	/* make sure that at least some space is available */
-	evbuffer_expand(buf, 64);
+	if (evbuffer_expand(buf, 64) < 0)
+		return (-1);
 	for (;;) {
 		size_t used = buf->misalign + buf->off;
 		buffer = (char *)buf->buffer + buf->off;
@@ -258,31 +259,49 @@
 	buf->misalign = 0;
 }
 
+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t)-1)
+#endif
+
 /* Expands the available space in the event buffer to at least datlen */
 
 int
 evbuffer_expand(struct evbuffer *buf, size_t datlen)
 {
-	size_t need = buf->misalign + buf->off + datlen;
+	size_t used = buf->misalign + buf->off;
+	size_t need;
+
+	assert(buf->totallen >= used);
 
 	/* If we can fit all the data, then we don't have to do anything */
-	if (buf->totallen >= need)
+	if (buf->totallen - used >= datlen)
 		return (0);
 
+	/* If we would need to overflow to fit this much data, we can't
+	 * do anything. */
+	if (datlen > SIZE_MAX - buf->off)
+		return (-1);
+
 	/*
 	 * If the misalignment fulfills our data needs, we just force an
 	 * alignment to happen.  Afterwards, we have enough space.
 	 */
-	if (buf->misalign >= datlen) {
+	if (buf->totallen - buf->off >= datlen) {
 		evbuffer_align(buf);
 	} else {
 		void *newbuf;
 		size_t length = buf->totallen;
+		size_t need = buf->off + datlen;
 
 		if (length < 256)
 			length = 256;
-		while (length < need)
-			length <<= 1;
+		if (need < SIZE_MAX / 2) {
+			while (length < need) {
+				length <<= 1;
+			}
+		} else {
+			length = need;
+		}
 
 		if (buf->orig_buffer != buf->buffer)
 			evbuffer_align(buf);
@@ -299,10 +318,10 @@
 int
 evbuffer_add(struct evbuffer *buf, const void *data, size_t datlen)
 {
-	size_t need = buf->misalign + buf->off + datlen;
+	size_t used = buf->misalign + buf->off;
 	size_t oldoff = buf->off;
 
-	if (buf->totallen < need) {
+	if (buf->totallen - used < datlen) {
 		if (evbuffer_expand(buf, datlen) == -1)
 			return (-1);
 	}

-- 
This mail was scanned by BitDefender
For more information please visit http://www.bitdefender.com