void-packages/srcpkgs/matio/patches/CVE-2019-20020.patch

46 lines
1.8 KiB
Diff

From 8138e767bf6df7cccf1664f3a854e596628fdb2d Mon Sep 17 00:00:00 2001
From: Nathan Owens <ndowens04@gmail.com>
Date: Sat, 28 Dec 2019 18:25:58 -0600
Subject: [PATCH] matio: CVE-2019-20020 patch
Signed-off-by: Nathan Owens <ndowens04@gmail.com>
---
src/mat5.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/mat5.c b/src/mat5.c
index abdb351..776f233 100644
--- src/mat5.c
+++ src/mat5.c
@@ -980,10 +980,26 @@ ReadNextCell( mat_t *mat, matvar_t *matvar )
/* Rank and Dimension */
if ( uncomp_buf[0] == MAT_T_INT32 ) {
int j;
+ size_t size;
cells[i]->rank = uncomp_buf[1];
nbytes -= cells[i]->rank;
cells[i]->rank /= 4;
- cells[i]->dims = (size_t*)malloc(cells[i]->rank*sizeof(*cells[i]->dims));
+ if ( 0 == do_clean && cells[i]->rank > 13 ) {
+ int rank = cells[i]->rank;
+ cells[i]->rank = 0;
+ Mat_Critical("%d is not a valid rank", rank);
+ continue;
+ }
+ err = SafeMul(&size, cells[i]->rank, sizeof(*cells[i]->dims));
+ if ( err ) {
+ if ( do_clean )
+ free(dims);
+ Mat_VarFree(cells[i]);
+ cells[i] = NULL;
+ Mat_Critical("Integer multiplication overflow");
+ continue;
+ }
+ cells[i]->dims = (size_t*)malloc(size);
if ( mat->byteswap ) {
for ( j = 0; j < cells[i]->rank; j++ )
cells[i]->dims[j] = Mat_uint32Swap(dims + j);
--
2.24.1