Headline
CVE-2020-15904: apply patch from Robert Scott to fix - shifting some bounds checking · ilanschnell/bsdiff4@49a4cee
A buffer overflow in the patching routine of bsdiff4 before 1.2.0 allows an attacker to write to heap memory (beyond allocated bounds) via a crafted patch file.
@@ -431,8 +431,7 @@ static PyObject* patch(PyObject* self, PyObject* args)
y = PyLong_AsLong(PyTuple_GET_ITEM(tuple, 1));
z = PyLong_AsLong(PyTuple_GET_ITEM(tuple, 2));
if (newpos + x > newDataLength ||
diffPtr + x > diffBlock + diffBlockLength ||
extraPtr + y > extraBlock + extraBlockLength) {
diffPtr + x > diffBlock + diffBlockLength) {
PyMem_Free(newData);
PyErr_SetString(PyExc_ValueError, "corrupt patch (overflow)");
return NULL;
@@ -444,6 +443,12 @@ static PyObject* patch(PyObject* self, PyObject* args)
newData[newpos + j] += origData[oldpos + j];
newpos += x;
oldpos += x;
if (newpos + y > newDataLength ||
extraPtr + y > extraBlock + extraBlockLength) {
PyMem_Free(newData);
PyErr_SetString(PyExc_ValueError, "corrupt patch (overflow)");
return NULL;
}
memcpy(newData + newpos, extraPtr, y);
extraPtr += y;
newpos += y;