Package: netcdf
Version: 4.1.3-7

The functions "nc_uriparse" in nc_uri.c and "ocuriparse" in ocuri.c (which are very, very similar to each other, almost copies) both don't check properly for malformed URIs. For example they cause a segmentation fault when given the URI "file:o/", "file://", "file://a" or "http://hostname/"; (the latter one indirectly through a null-pointer returned by the mentioned functions, which is then referenced in ocuribuild, when doing an "ocopen").


This causes bugs in downstream libraries and executables, e.g. in mincdump:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=716119

As it's not fixed in the most recent upstream version (4.3.2), I tried to report the bug upstream (to the netcdf developers), but it looks like their bug tracking system is read-only, even after signing up (then what do they have it for anyway?). I'm gonna try via email now.

But as the Debian package is way behind upstream (sticking with 4.1.*), an upstream fix probably wouldn't help you, either. So I provided a patch to fix the problem.

Description: Fix checks for malformed URIs to avoid crashes
 The functions nc_uriparse and ocuriparse caused a segmentation fault
 when called on malformed URIs like "file:o/", "file://" or "file:///".
 This was due to: (1) An error in the check for the // part of the URI
 (between the "[protocol]:" and the hostname part), (2) a missing bail-out
 when the part containing file and constraints is missing. Besides, the fact
 that both functions set a null-pointer as file string when the file part
 was present, but empty (containing only one slash), caused a segmentation
 fault in ocuribuild when passing a URL like "http://domain.org/"; to ocopen.
Author: Martin Steghöfer <mar...@steghoefer.eu>

--- a/libdispatch/nc_uri.c
+++ b/libdispatch/nc_uri.c
@@ -115,7 +115,7 @@
     p += strlen(protocol);
 
     /* 5. skip // */
-    if(*p != '/' && *(p+1) != '/')
+    if(*p != '/' || *(p+1) != '/')
 	goto fail;
     p += 2;
 
@@ -123,6 +123,8 @@
     file = strchr(p,'/');
     if(file) {
 	*file++ = '\0'; /* warning: we just overwrote the leading / */
+    } else {
+        goto fail;
     }
 
     /* 7. extract any user:pwd */
@@ -165,12 +167,10 @@
         nc_uri->host = strdup(host);
     if(port && strlen(port) > 0)
         nc_uri->port = strdup(port);
-    if(file && strlen(file) > 0) {
-	/* Add back the leading / */
-        nc_uri->file = malloc(strlen(file)+2);
-	strcpy(nc_uri->file,"/");
-        strcat(nc_uri->file,file);
-    }
+    /* Add back the leading / */
+    nc_uri->file = malloc(strlen(file)+2);
+    strcpy(nc_uri->file,"/");
+    strcat(nc_uri->file,file);
     if(constraint && strlen(constraint) > 0)
         nc_uri->constraint = strdup(constraint);
     nc_urisetconstraints(nc_uri,constraint);
--- a/oc/ocuri.c
+++ b/oc/ocuri.c
@@ -115,7 +115,7 @@
     p += strlen(protocol);
 
     /* 5. skip // */
-    if(*p != '/' && *(p+1) != '/')
+    if(*p != '/' || *(p+1) != '/')
 	goto fail;
     p += 2;
 
@@ -123,6 +123,8 @@
     file = strchr(p,'/');
     if(file) {
 	*file++ = '\0'; /* warning: we just overwrote the leading / */
+    } else {
+        goto fail;
     }
 
     /* 7. extract any user:pwd */
@@ -165,12 +167,10 @@
         ocuri->host = strdup(host);
     if(port && strlen(port) > 0)
         ocuri->port = strdup(port);
-    if(file && strlen(file) > 0) {
-	/* Add back the leading / */
-        ocuri->file = malloc(strlen(file)+2);
-	strcpy(ocuri->file,"/");
-        strcat(ocuri->file,file);
-    }
+    /* Add back the leading / */
+    ocuri->file = malloc(strlen(file)+2);
+    strcpy(ocuri->file,"/");
+    strcat(ocuri->file,file);
     if(constraint && strlen(constraint) > 0)
         ocuri->constraint = strdup(constraint);
     ocurisetconstraints(ocuri,constraint);
_______________________________________________
Pkg-grass-devel mailing list
Pkg-grass-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel

Reply via email to