sysstat/CVE-2019-16167_memory-corruption-due-to-an-integer-overflow.patch

44 lines
1.4 KiB
Diff
Raw Normal View History

--- sa_common.c
+++ sa_common.c
@@ -1249,6 +1249,11 @@
/* Remap [unsigned] long fields */
d = gtypes_nr[0] - ftypes_nr[0];
if (d) {
+
+ if (ftypes_nr[0] * ULL_ALIGNMENT_WIDTH < ftypes_nr[0])
+ /* Overflow */
+ return;
+
memmove(((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH,
((char *) ps) + ftypes_nr[0] * ULL_ALIGNMENT_WIDTH,
st_size - ftypes_nr[0] * ULL_ALIGNMENT_WIDTH);
@@ -1260,7 +1265,13 @@
/* Remap [unsigned] int fields */
d = gtypes_nr[1] - ftypes_nr[1];
if (d) {
- memmove(((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH
+
+ if (gtypes_nr[0] * ULL_ALIGNMENT_WIDTH +
+ ftypes_nr[1] * UL_ALIGNMENT_WIDTH < ftypes_nr[1])
+ /* Overflow */
+ return;
+
+ memmove(((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH
+ gtypes_nr[1] * UL_ALIGNMENT_WIDTH,
((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH
+ ftypes_nr[1] * UL_ALIGNMENT_WIDTH,
@@ -1275,6 +1286,13 @@
/* Remap possible fields (like strings of chars) following int fields */
d = gtypes_nr[2] - ftypes_nr[2];
if (d) {
+
+ if (gtypes_nr[0] * ULL_ALIGNMENT_WIDTH +
+ gtypes_nr[1] * UL_ALIGNMENT_WIDTH +
+ ftypes_nr[2] * U_ALIGNMENT_WIDTH < ftypes_nr[2])
+ /* Overflow */
+ return;
+
memmove(((char *) ps) + gtypes_nr[0] * ULL_ALIGNMENT_WIDTH
+ gtypes_nr[1] * UL_ALIGNMENT_WIDTH
+ gtypes_nr[2] * U_ALIGNMENT_WIDTH,