[or-cvs] r13588: Backport to 0.1.2.x: Add some checks in torgzip.c to make su (in tor/branches/tor-0_1_2-patches: . src/common)

nickm at seul.org nickm at seul.org
Tue Feb 19 22:08:01 UTC 2008 

Author: nickm
Date: 2008-02-19 17:08:01 -0500 (Tue, 19 Feb 2008)
New Revision: 13588

Modified:
   tor/branches/tor-0_1_2-patches/
   tor/branches/tor-0_1_2-patches/ChangeLog
   tor/branches/tor-0_1_2-patches/src/common/container.c
   tor/branches/tor-0_1_2-patches/src/common/torgzip.c
Log:
 r18214 at catbus:  nickm | 2008-02-19 17:07:55 -0500
 Backport to 0.1.2.x: Add some checks in torgzip.c to make sure we never overflow size_t there.  Also make sure we do not realloc(list,0) in container.c.



Property changes on: tor/branches/tor-0_1_2-patches
___________________________________________________________________
 svk:merge ticket from /tor/012 [r18214] on 8246c3cf-6607-4228-993b-4d95d33730f1

Modified: tor/branches/tor-0_1_2-patches/ChangeLog
===================================================================
--- tor/branches/tor-0_1_2-patches/ChangeLog	2008-02-19 22:05:49 UTC (rev 13587)
+++ tor/branches/tor-0_1_2-patches/ChangeLog	2008-02-19 22:08:01 UTC (rev 13588)
@@ -19,6 +19,7 @@
       conditions.
     - We were leaking a file descriptor if Tor started with a zero-length
       cached-descriptors file. Patch by freddy77.
+    - Detect size overflow in zlib code.
 
 
 Changes in version 0.1.2.19 - 2008-01-17

Modified: tor/branches/tor-0_1_2-patches/src/common/container.c
===================================================================
--- tor/branches/tor-0_1_2-patches/src/common/container.c	2008-02-19 22:05:49 UTC (rev 13587)
+++ tor/branches/tor-0_1_2-patches/src/common/container.c	2008-02-19 22:08:01 UTC (rev 13588)
@@ -65,6 +65,8 @@
 {
   if (n < sl->num_used)
     n = sl->num_used;
+  if (n < 1)
+    n = 1;
   if (sl->capacity != n) {
     sl->capacity = n;
     sl->list = tor_realloc(sl->list, sizeof(void*)*sl->capacity);

Modified: tor/branches/tor-0_1_2-patches/src/common/torgzip.c
===================================================================
--- tor/branches/tor-0_1_2-patches/src/common/torgzip.c	2008-02-19 22:05:49 UTC (rev 13587)
+++ tor/branches/tor-0_1_2-patches/src/common/torgzip.c	2008-02-19 22:08:01 UTC (rev 13588)
@@ -70,7 +70,7 @@
                   compress_method_t method)
 {
   struct z_stream_s *stream = NULL;
-  size_t out_size;
+  size_t out_size, old_size;
   off_t offset;
 
   tor_assert(out);
@@ -118,7 +118,12 @@
           break;
       case Z_BUF_ERROR:
         offset = stream->next_out - ((unsigned char*)*out);
+        old_size = out_size;
         out_size *= 2;
+        if (out_size < old_size) {
+          log_warn(LD_GENERAL, "Size overflow in compression.");
+          goto err;
+        }
         *out = tor_realloc(*out, out_size);
         stream->next_out = (unsigned char*)(*out + offset);
         if (out_size - offset > UINT_MAX) {
@@ -173,7 +178,7 @@
                     int protocol_warn_level)
 {
   struct z_stream_s *stream = NULL;
-  size_t out_size;
+  size_t out_size, old_size;
   off_t offset;
   int r;
 
@@ -240,7 +245,12 @@
           goto err;
         }
         offset = stream->next_out - (unsigned char*)*out;
+        old_size = out_size;
         out_size *= 2;
+        if (out_size < old_size) {
+          log_warn(LD_GENERAL, "Size overflow in compression.");
+          goto err;
+        }
         *out = tor_realloc(*out, out_size);
         stream->next_out = (unsigned char*)(*out + offset);
         if (out_size - offset > UINT_MAX) {

More information about the tor-commits mailing list