latest pidgin slplink.c patch
Felipe Contreras
felipe.contreras at gmail.com
Sun May 24 14:30:11 EDT 2009
On Sun, May 24, 2009 at 5:44 AM, adc <adc at intruded.net> wrote:
> Hi, could someone help me understand CVE-2009-1376?
> """
> The previous fix to CVE-2008-2927 was deemed incomplete. The size check
> improperly casted an uint64 to size_t which can cause an integer overflow,
> rendering the check useless.
> """
> original patch:
>
> - if ((offset + len) > slpmsg->size)
> + if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size)
>
> additional patch:
>
> +- gsize offset;
> ++ guint64 offset;
>
> + gsize len;
>
> Where is the problem exactly? I'm assuming that on a 32-bit machine
> G_MAXSIZE should be
> max unsigned int (2^32-1) and gsize is an unsigned integer.
> If those assumptions are correct, why is this check broken?
> G_MAXSIZE - len < offset
>
>
>
> In trying to understand definitions I also noticed this in glib for 64-bit
> machines:
> glib/gtypes.h:#define G_MAXUINT64 G_GINT64_CONSTANT(0xffffffffffffffffU)
>
> Should that line be?
> glib/gtypes.h:#define G_MAXUINT64 G_GUINT64_CONSTANT(0xffffffffffffffffU)
IMO that was a stupid fix, the one in msn-pecan is way simpler:
http://github.com/felipec/msn-pecan/commit/9fd6f02e4fa6f96f58e6f05111a482a1fa14e0d7
--
Felipe Contreras
More information about the Devel
mailing list