folkslinux
/
rpm
mirror of https://github.com/rpm-software-management/rpm.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix ancient buffer overflow on unterminated macro options 

- Test for terminating ')' existence before copying, otherwise we'll
  end up walking over the edge of the world.
- Return address from doDefine() on error will likely differ after
  this, whether that actually affects anything remains to be seen...
This commit is contained in:
Panu Matilainen 2014-06-11 15:28:36 +03:00
parent 272033470b
commit eb62542695
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
rpmio/macro.c
View File

@ -485,9 +485,15 @@ doDefine(MacroBuf mb, const char * se, size_t slen, int level, int expandbody)
oe = ne + 1;
if (*s == '(') {
s++; /* skip ( */
o = oe;
COPYOPTS(oe, s, oc);
s++; /* skip ) */
/* Options must be terminated with ')' */
if (strchr(s, ')')) {
o = oe;
COPYOPTS(oe, s, oc);
s++; /* skip ) */
} else {
rpmlog(RPMLOG_ERR, _("Macro %%%s has unterminated opts\n"), n);
goto exit;
}
}
/* Copy body, skipping over escaped newlines */
@ -558,12 +564,6 @@ doDefine(MacroBuf mb, const char * se, size_t slen, int level, int expandbody)
goto exit;
}
/* Options must be terminated with ')' */
if (o && oc != ')') {
rpmlog(RPMLOG_ERR, _("Macro %%%s has unterminated opts\n"), n);
goto exit;
}
if ((be - b) < 1) {
rpmlog(RPMLOG_ERR, _("Macro %%%s has empty body\n"), n);
goto exit;