dev-libs/libmspack: CVE-2017-6419, bug 628684.

Package-Manager: Portage-2.3.6, Repoman-2.3.3

1 files changed, 41 insertions, 0 deletions

diff --git a/dev-libs/libmspack/files/libmspack-0.5_alpha-CVE-2017-6419.patch b/dev-libs/libmspack/files/libmspack-0.5_alpha-CVE-2017-6419.patch
new file mode 100644
index 000000000000..1b81fdcbfcd4
--- /dev/null
+++ b/dev-libs/libmspack/files/libmspack-0.5_alpha-CVE-2017-6419.patch
@@ -0,0 +1,41 @@
+From a83773682e856ad6529ba6db8d1792e6d515d7f1 Mon Sep 17 00:00:00 2001
+From: Mickey Sola <msola@sourcefire.com>
+Date: Wed, 29 Mar 2017 14:55:26 -0400
+Subject: [PATCH] fixing potential OOB window write when unpacking chm files
+
+---
+ libclamav/libmspack-0.5alpha/mspack/lzxd.c | 11 +++++++++--
+ libclamav/libmspack.c                      |  6 +++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/libclamav/libmspack-0.5alpha/mspack/lzxd.c b/libclamav/libmspack-0.5alpha/mspack/lzxd.c
+index 2281e7b9d..45105a583 100644
+--- a/mspack/lzxd.c
++++ b/mspack/lzxd.c
+@@ -766,8 +766,13 @@ int lzxd_decompress(struct lzxd_stream *lzx, off_t out_bytes) {
+       case LZX_BLOCKTYPE_UNCOMPRESSED:
+ 	/* as this_run is limited not to wrap a frame, this also means it
+ 	 * won't wrap the window (as the window is a multiple of 32k) */
++        if (window_posn + this_run > lzx->window_size) {
++                D(("match ran over window boundary"))
++                return lzx->error = MSPACK_ERR_DECRUNCH;
++        }
+ 	rundest = &window[window_posn];
+ 	window_posn += this_run;
++
+ 	while (this_run > 0) {
+ 	  if ((i = i_end - i_ptr) == 0) {
+ 	    READ_IF_NEEDED;
+@@ -888,8 +893,10 @@ void lzxd_free(struct lzxd_stream *lzx) {
+   struct mspack_system *sys;
+   if (lzx) {
+     sys = lzx->sys;
+-    sys->free(lzx->inbuf);
+-    sys->free(lzx->window);
++    if(lzx->inbuf)
++        sys->free(lzx->inbuf);
++    if(lzx->window)
++        sys->free(lzx->window);
+     sys->free(lzx);
+   }
+ }