diff options
Diffstat (limited to 'yocto-poky/meta/recipes-support/libbsd/files/CVE-2016-2090.patch')
-rw-r--r-- | yocto-poky/meta/recipes-support/libbsd/files/CVE-2016-2090.patch | 50 |
1 files changed, 0 insertions, 50 deletions
diff --git a/yocto-poky/meta/recipes-support/libbsd/files/CVE-2016-2090.patch b/yocto-poky/meta/recipes-support/libbsd/files/CVE-2016-2090.patch deleted file mode 100644 index 2eaae1386..000000000 --- a/yocto-poky/meta/recipes-support/libbsd/files/CVE-2016-2090.patch +++ /dev/null @@ -1,50 +0,0 @@ -From c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 Mon Sep 17 00:00:00 2001 -From: Hanno Boeck <hanno@hboeck.de> -Date: Wed, 27 Jan 2016 15:10:11 +0100 -Subject: [PATCH] Fix heap buffer overflow in fgetwln() - -In the function fgetwln() there's a 4 byte heap overflow. - -There is a while loop that has this check to see whether there's still -enough space in the buffer: - - if (!fb->len || wused > fb->len) { - -If this is true more memory gets allocated. However this test won't be -true if wused == fb->len, but at that point wused already points out -of the buffer. Some lines later there's a write to the buffer: - - fb->wbuf[wused++] = wc; - -This bug was found with the help of address sanitizer. - -Warned-by: ASAN -Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881 -Signed-off-by: Guillem Jover <guillem@hadrons.org> - -Upstream-Status: Backport -http://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 - -CVE: CVE-2016-2090 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - src/fgetwln.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/fgetwln.c b/src/fgetwln.c -index 9ee0776..aa3f927 100644 ---- a/src/fgetwln.c -+++ b/src/fgetwln.c -@@ -60,7 +60,7 @@ fgetwln(FILE *stream, size_t *lenp) - fb->fp = stream; - - while ((wc = fgetwc(stream)) != WEOF) { -- if (!fb->len || wused > fb->len) { -+ if (!fb->len || wused >= fb->len) { - wchar_t *wp; - - if (fb->len) --- -2.3.5 - |