Module Name: src Committed By: snj Date: Wed Feb 4 04:38:19 UTC 2015
Modified Files: src/external/bsd/libevent/dist [netbsd-6]: buffer.c Log Message: Apply patch (requested by spz in ticket 1243): Fix CVE-2014-6272. To generate a diff of this commit: cvs rdiff -u -r1.1.1.1 -r1.1.1.1.8.1 src/external/bsd/libevent/dist/buffer.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/external/bsd/libevent/dist/buffer.c diff -u src/external/bsd/libevent/dist/buffer.c:1.1.1.1 src/external/bsd/libevent/dist/buffer.c:1.1.1.1.8.1 --- src/external/bsd/libevent/dist/buffer.c:1.1.1.1 Mon Nov 2 10:00:52 2009 +++ src/external/bsd/libevent/dist/buffer.c Wed Feb 4 04:38:19 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: buffer.c,v 1.1.1.1 2009/11/02 10:00:52 plunky Exp $ */ +/* $NetBSD: buffer.c,v 1.1.1.1.8.1 2015/02/04 04:38:19 snj Exp $ */ /* * Copyright (c) 2002, 2003 Niels Provos <pro...@citi.umich.edu> * All rights reserved. @@ -144,7 +144,8 @@ evbuffer_add_vprintf(struct evbuffer *bu va_list aq; /* make sure that at least some space is available */ - evbuffer_expand(buf, 64); + if (evbuffer_expand(buf, 64) < 0) + return (-1); for (;;) { size_t used = buf->misalign + buf->off; buffer = (char *)buf->buffer + buf->off; @@ -260,31 +261,47 @@ evbuffer_align(struct evbuffer *buf) buf->misalign = 0; } +#ifndef SIZE_MAX +#define SIZE_MAX ((size_t)-1) +#endif + /* Expands the available space in the event buffer to at least datlen */ int evbuffer_expand(struct evbuffer *buf, size_t datlen) { - size_t need = buf->misalign + buf->off + datlen; + size_t used = buf->misalign + buf->off; + + assert(buf->totallen >= used); /* If we can fit all the data, then we don't have to do anything */ - if (buf->totallen >= need) + if (buf->totallen - used >= datlen) return (0); + /* If we would need to overflow to fit this much data, we can't + * do anything. */ + if (datlen > SIZE_MAX - buf->off) + return (-1); /* * If the misalignment fulfills our data needs, we just force an * alignment to happen. Afterwards, we have enough space. */ - if (buf->misalign >= datlen) { + if (buf->totallen - buf->off >= datlen) { evbuffer_align(buf); } else { void *newbuf; size_t length = buf->totallen; + size_t need = buf->off + datlen; if (length < 256) length = 256; - while (length < need) - length <<= 1; + if (need < SIZE_MAX / 2) { + while (length < need) { + length <<= 1; + } + } else { + length = need; + } if (buf->orig_buffer != buf->buffer) evbuffer_align(buf); @@ -301,10 +318,10 @@ evbuffer_expand(struct evbuffer *buf, si int evbuffer_add(struct evbuffer *buf, const void *data, size_t datlen) { - size_t need = buf->misalign + buf->off + datlen; + size_t used = buf->misalign + buf->off; size_t oldoff = buf->off; - if (buf->totallen < need) { + if (buf->totallen - used < datlen) { if (evbuffer_expand(buf, datlen) == -1) return (-1); }