latest pidgin slplink.c patch
adc at intruded.net
Sat May 23 22:44:15 EDT 2009
Hi, could someone help me understand CVE-2009-1376?
The previous fix to CVE-2008-2927 <http://pidgin.im/news/security/?id=25> was
deemed incomplete. The size check improperly casted an uint64 to size_t
which can cause an integer overflow, rendering the check useless.
- if ((offset + len) > slpmsg->size)
+ if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size)
+- gsize offset;
++ guint64 offset;
+ gsize len;
Where is the problem exactly? I'm assuming that on a 32-bit machine
G_MAXSIZE should be
max unsigned int (2^32-1) and gsize is an unsigned integer.
If those assumptions are correct, why is this check broken?
G_MAXSIZE - len < offset
In trying to understand definitions I also noticed this in glib for 64-bit
glib/gtypes.h:#define G_MAXUINT64 G_GINT64_CONSTANT(0xffffffffffffffffU)
Should that line be?
glib/gtypes.h:#define G_MAXUINT64 G_GUINT64_CONSTANT(0xffffffffffffffffU)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Devel