latest pidgin slplink.c patch
felipe.contreras at gmail.com
Sun May 24 14:30:11 EDT 2009
On Sun, May 24, 2009 at 5:44 AM, adc <adc at intruded.net> wrote:
> Hi, could someone help me understand CVE-2009-1376?
> The previous fix to CVE-2008-2927 was deemed incomplete. The size check
> improperly casted an uint64 to size_t which can cause an integer overflow,
> rendering the check useless.
> original patch:
> - if ((offset + len) > slpmsg->size)
> + if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size)
> additional patch:
> +- gsize offset;
> ++ guint64 offset;
> + gsize len;
> Where is the problem exactly? I'm assuming that on a 32-bit machine
> G_MAXSIZE should be
> max unsigned int (2^32-1) and gsize is an unsigned integer.
> If those assumptions are correct, why is this check broken?
> G_MAXSIZE - len < offset
> In trying to understand definitions I also noticed this in glib for 64-bit
> glib/gtypes.h:#define G_MAXUINT64 G_GINT64_CONSTANT(0xffffffffffffffffU)
> Should that line be?
> glib/gtypes.h:#define G_MAXUINT64 G_GUINT64_CONSTANT(0xffffffffffffffffU)
IMO that was a stupid fix, the one in msn-pecan is way simpler:
More information about the Devel