Your message dated Tue, 30 Dec 2014 18:30:40 +0100
with message-id <[email protected]>
and subject line Re: Bug#774236: unblock: libmspack/0.4-2
has caused the Debian Bug report #774236,
regarding unblock: libmspack/0.4-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
774236: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774236
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
User: [email protected]
Usertags: unblock
Severity: normal
Coin,
This upload fixes a nasty hang with security implications (see #773041).
It only affects wheezy through this library. The patch is quite small
and that's the only change (debdiff attached).
Command:
unblock libmspack/0.4-2
Thanks.
--
Marc Dequènes
diff -Nru libmspack-0.4/debian/changelog libmspack-0.4/debian/changelog
--- libmspack-0.4/debian/changelog 2013-08-16 23:52:26.000000000 +0200
+++ libmspack-0.4/debian/changelog 2014-12-30 17:44:28.000000000 +0100
@@ -1,3 +1,10 @@
+libmspack (0.4-2) unstable; urgency=medium
+
+ * Added patch 'qtmd-fix-frame_end-overflow.patch' to fix an overflow
+ causing an infinite loop in some situation (Closes: #773041).
+
+ -- Marc Dequènes (Duck) <[email protected]> Tue, 30 Dec 2014 17:40:47 +0100
+
libmspack (0.4-1) unstable; urgency=low
* Initial release. (Closes: #711232)
diff -Nru libmspack-0.4/debian/patches/qtmd-fix-frame_end-overflow.patch libmspack-0.4/debian/patches/qtmd-fix-frame_end-overflow.patch
--- libmspack-0.4/debian/patches/qtmd-fix-frame_end-overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ libmspack-0.4/debian/patches/qtmd-fix-frame_end-overflow.patch 2014-12-30 17:30:17.000000000 +0100
@@ -0,0 +1,62 @@
+From a0449d2079c4ba5822e6567ad7094c10108f16cd Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <[email protected]>
+Date: Tue, 23 Dec 2014 21:20:43 +0100
+Subject: libmspack: qtmd: fix frame_end overflow
+
+Debian bts #773041, #772891 contains a report of a .cab file which
+causes an endless loop.
+Eric Sharkey diagnosed the problem as frame_end is 32bit and overflows
+and the result the loop makes no progress.
+The problem seems that after the overflow, window_posn is larger than
+frame_end and therefore we never enter the loop to make progress. But we
+still have out_bytes >0 so we don't leave the outer loop either.
+
+Andreas Cadhalpun suggested to instead makeing frame_end 64bit, we could
+avoid the overflow by reordering the code the following way:
+
+original, with just out_bytes (without (qtm->o_end - qtm->o_ptr))
+| frame_end = window_posn + out_bytes;
+| if ((window_posn + frame_todo) < frame_end) {
+| frame_end = window_posn + frame_todo;
+| }
+
+replace frame_end in "if" with its content (and move the first frame_end
+into the else path)
+| if ((window_posn + frame_todo) < (window_posn + out_bytes))
+| frame_end = window_posn + frame_todo;
+| else
+| frame_end = window_posn + out_bytes;
+
+remove window_posn from "if" since it is the same both times.
+| if (frame_todo < out_bytes)
+| frame_end = window_posn + frame_todo;
+| else
+| frame_end = window_posn + out_bytes;
+
+Andreas added:
+|This works, because frame_todo is at most QTM_FRAME_SIZE = 32768.
+
+Suggested-as-patch: Andreas Cadhalpun <[email protected]>
+[sebastian@breakpoint: added patch description]
+Signed-off-by: Sebastian Andrzej Siewior <[email protected]>
+---
+ libmspack/mspack/qtmd.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/mspack/qtmd.c b/mspack/qtmd.c
+index 12b27f5608c4..e584aef8e576 100644
+--- a/mspack/qtmd.c
++++ b/mspack/qtmd.c
+@@ -296,9 +296,10 @@ int qtmd_decompress(struct qtmd_stream *qtm, off_t out_bytes) {
+
+ /* decode more, up to the number of bytes needed, the frame boundary,
+ * or the window boundary, whichever comes first */
+- frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));
+- if ((window_posn + frame_todo) < frame_end) {
++ if (frame_todo < (out_bytes - (qtm->o_end - qtm->o_ptr))) {
+ frame_end = window_posn + frame_todo;
++ } else {
++ frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));
+ }
+ if (frame_end > qtm->window_size) {
+ frame_end = qtm->window_size;
diff -Nru libmspack-0.4/debian/patches/series libmspack-0.4/debian/patches/series
--- libmspack-0.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libmspack-0.4/debian/patches/series 2014-12-30 17:10:37.000000000 +0100
@@ -0,0 +1 @@
+qtmd-fix-frame_end-overflow.patch
--- End Message ---
--- Begin Message ---
Hi,
On Tue, Dec 30, 2014 at 06:06:27PM +0100, Marc Dequènes wrote:
> unblock libmspack/0.4-2
Unblocked.
Cheers,
Ivo
--- End Message ---
