[Pkg-privacy-commits] [libotr] 145/225: Imported Debian patch 3.2.0-2+squeeze1
Ximin Luo
infinity0 at moszumanska.debian.org
Sat Aug 22 12:45:17 UTC 2015
This is an automated email from the git hooks/post-receive script.
infinity0 pushed a commit to branch master
in repository libotr.
commit 7339b8344cd1bbebb4daab756e7eb2e272cadc84
Author: Nico Golde <nion at debian.org>
Date: Sun Aug 12 11:39:08 2012 +0000
Imported Debian patch 3.2.0-2+squeeze1
---
debian/changelog | 8 ++++++++
src/b64.c | 16 +++++++++++-----
src/b64.h | 18 ++++++++++++++++--
src/proto.c | 16 ++++++++++++----
toolkit/parse.c | 9 ++++++---
5 files changed, 53 insertions(+), 14 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 869c16a..b7c31f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libotr (3.2.0-2+squeeze1) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix potential buffer overflows in base64 handling
+ (CVE-2012-3461; Closes: #684121).
+
+ -- Nico Golde <nion at debian.org> Sun, 12 Aug 2012 11:39:08 +0000
+
libotr (3.2.0-2) unstable; urgency=low
* Fix outdated config.{sub,guess} (Closes: #529461)
diff --git a/src/b64.c b/src/b64.c
index b8736da..9e35251 100644
--- a/src/b64.c
+++ b/src/b64.c
@@ -55,7 +55,7 @@ VERSION HISTORY:
\******************************************************************* */
/* system headers */
-#include <stdlib.h>
+#include <stdio.h>
#include <string.h>
/* libotr headers */
@@ -147,8 +147,9 @@ static size_t decode(unsigned char *out, const char *in, size_t b64len)
* base64 decode data. Skip non-base64 chars, and terminate at the
* first '=', or the end of the buffer.
*
- * The buffer data must contain at least (base64len / 4) * 3 bytes of
- * space. This function will return the number of bytes actually used.
+ * The buffer data must contain at least ((base64len+3) / 4) * 3 bytes
+ * of space. This function will return the number of bytes actually
+ * used.
*/
size_t otrl_base64_decode(unsigned char *data, const char *base64data,
size_t base64len)
@@ -234,13 +235,18 @@ int otrl_base64_otr_decode(const char *msg, unsigned char **bufp,
return -2;
}
+ /* Skip over the "?OTR:" */
+ otrtag += 5;
+ msglen -= 5;
+
/* Base64-decode the message */
- rawlen = ((msglen-5) / 4) * 3; /* maximum possible */
+ rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen); /* maximum possible */
rawmsg = malloc(rawlen);
if (!rawmsg && rawlen > 0) {
return -1;
}
- rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5); /* actual size */
+
+ rawlen = otrl_base64_decode(rawmsg, otrtag, msglen); /* actual size */
*bufp = rawmsg;
*lenp = rawlen;
diff --git a/src/b64.h b/src/b64.h
index 34ef03f..dd0e115 100644
--- a/src/b64.h
+++ b/src/b64.h
@@ -20,6 +20,19 @@
#ifndef __B64_H__
#define __B64_H__
+#include <stdlib.h>
+
+/* Base64 encodes blocks of this many bytes: */
+#define OTRL_B64_DECODED_LEN 3
+/* into blocks of this many bytes: */
+#define OTRL_B64_ENCODED_LEN 4
+
+/* An encoded block of length encoded_len can turn into a maximum of
+ * this many decoded bytes: */
+#define OTRL_B64_MAX_DECODED_SIZE(encoded_len) \
+ (((encoded_len + OTRL_B64_ENCODED_LEN - 1) / OTRL_B64_ENCODED_LEN) \
+ * OTRL_B64_DECODED_LEN)
+
/*
* base64 encode data. Insert no linebreaks or whitespace.
*
@@ -33,8 +46,9 @@ size_t otrl_base64_encode(char *base64data, const unsigned char *data,
* base64 decode data. Skip non-base64 chars, and terminate at the
* first '=', or the end of the buffer.
*
- * The buffer data must contain at least (base64len / 4) * 3 bytes of
- * space. This function will return the number of bytes actually used.
+ * The buffer data must contain at least ((base64len+3) / 4) * 3 bytes
+ * of space. This function will return the number of bytes actually
+ * used.
*/
size_t otrl_base64_decode(unsigned char *data, const char *base64data,
size_t base64len);
diff --git a/src/proto.c b/src/proto.c
index 3f8c987..0374dfe 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -537,13 +537,17 @@ gcry_error_t otrl_proto_data_read_flags(const char *datamsg,
msglen = strlen(otrtag);
}
+ /* Skip over the "?OTR:" */
+ otrtag += 5;
+ msglen -= 5;
+
/* Base64-decode the message */
- rawlen = ((msglen-5) / 4) * 3; /* maximum possible */
+ rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen); /* maximum possible */
rawmsg = malloc(rawlen);
if (!rawmsg && rawlen > 0) {
return gcry_error(GPG_ERR_ENOMEM);
}
- rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5); /* actual size */
+ rawlen = otrl_base64_decode(rawmsg, otrtag, msglen); /* actual size */
bufp = rawmsg;
lenp = rawlen;
@@ -606,14 +610,18 @@ gcry_error_t otrl_proto_accept_data(char **plaintextp, OtrlTLV **tlvsp,
msglen = strlen(otrtag);
}
+ /* Skip over the "?OTR:" */
+ otrtag += 5;
+ msglen -= 5;
+
/* Base64-decode the message */
- rawlen = ((msglen-5) / 4) * 3; /* maximum possible */
+ rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen); /* maximum possible */
rawmsg = malloc(rawlen);
if (!rawmsg && rawlen > 0) {
err = gcry_error(GPG_ERR_ENOMEM);
goto err;
}
- rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5); /* actual size */
+ rawlen = otrl_base64_decode(rawmsg, otrtag, msglen); /* actual size */
bufp = rawmsg;
lenp = rawlen;
diff --git a/toolkit/parse.c b/toolkit/parse.c
index 5f357fc..16718ca 100644
--- a/toolkit/parse.c
+++ b/toolkit/parse.c
@@ -64,7 +64,8 @@ static unsigned char *decode(const char *msg, size_t *lenp)
{
const char *header, *footer;
unsigned char *raw;
-
+ size_t rawlen;
+
/* Find the header */
header = strstr(msg, "?OTR:");
if (!header) return NULL;
@@ -75,8 +76,10 @@ static unsigned char *decode(const char *msg, size_t *lenp)
footer = strchr(header, '.');
if (!footer) footer = header + strlen(header);
- raw = malloc((footer-header) / 4 * 3);
- if (raw == NULL && (footer-header >= 4)) return NULL;
+ rawlen = OTRL_B64_MAX_DECODED_SIZE(footer-header);
+
+ raw = malloc(rawlen);
+ if (raw == NULL && rawlen > 0) return NULL;
*lenp = otrl_base64_decode(raw, header, footer-header);
return raw;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/libotr.git
More information about the Pkg-privacy-commits
mailing list