git-svn: trunk@5032
Tomasz Kojm authored on 2009/04/09 04:33:48... | ... |
@@ -1,3 +1,19 @@ |
1 |
+Wed Apr 8 16:49:32 CEST 2009 (tk) |
|
2 |
+---------------------------------- |
|
3 |
+ * V 0.95.1 |
|
4 |
+ |
|
5 |
+Wed Apr 8 16:40:19 CEST 2009 (tk) |
|
6 |
+---------------------------------- |
|
7 |
+ * libclamav/phishcheck.c: fix possible crash in cli_url_canon() (bb#1553) |
|
8 |
+ Patch by Edwin, reported by Nigel Horne |
|
9 |
+ <njh*bandsman.co.uk> |
|
10 |
+ |
|
11 |
+Wed Apr 8 16:35:23 CEST 2009 (tk) |
|
12 |
+---------------------------------- |
|
13 |
+ * libclamav/others.h: harden CLI_ISCONTAINED macro (bb#1552) |
|
14 |
+ Patch by aCaB, reported by Martin Olsen |
|
15 |
+ <marty*lightspeedsystems.com> |
|
16 |
+ |
|
1 | 17 |
Tue Apr 7 16:53:18 CEST 2009 (acab) |
2 | 18 |
------------------------------------ |
3 | 19 |
* clamav-milter/netcode.c: honour ReadTimeout=0 |
... | ... |
@@ -14962,8 +14962,8 @@ static struct v{ |
14962 | 14962 |
extern void abort(void); |
14963 | 14963 |
|
14964 | 14964 |
#define CLI_ISCONTAINED(bb, bb_size, sb, sb_size) \ |
14965 |
- (bb_size > 0 && sb_size > 0 && sb_size <= bb_size \ |
|
14966 |
- && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb) |
|
14965 |
+ ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ |
|
14966 |
+ && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size))) |
|
14967 | 14967 |
|
14968 | 14968 |
int crashtest() |
14969 | 14969 |
{ |
... | ... |
@@ -191,8 +191,8 @@ static struct v{ |
191 | 191 |
extern void abort(void); |
192 | 192 |
|
193 | 193 |
#define CLI_ISCONTAINED(bb, bb_size, sb, sb_size) \ |
194 |
- (bb_size > 0 && sb_size > 0 && sb_size <= bb_size \ |
|
195 |
- && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb) |
|
194 |
+ ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ |
|
195 |
+ && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size))) |
|
196 | 196 |
|
197 | 197 |
int crashtest() |
198 | 198 |
{ |
... | ... |
@@ -59,12 +59,12 @@ extern uint8_t cli_debug_flag; |
59 | 59 |
* The macro can be used to protect against wraps. |
60 | 60 |
*/ |
61 | 61 |
#define CLI_ISCONTAINED(bb, bb_size, sb, sb_size) \ |
62 |
- (bb_size > 0 && sb_size > 0 && (size_t)sb_size <= (size_t)bb_size \ |
|
63 |
- && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size > bb) |
|
62 |
+ ((bb_size) > 0 && (sb_size) > 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ |
|
63 |
+ && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) > (bb) && (sb) < ((bb) + (bb_size))) |
|
64 | 64 |
|
65 | 65 |
#define CLI_ISCONTAINED2(bb, bb_size, sb, sb_size) \ |
66 |
- (bb_size > 0 && sb_size >= 0 && (size_t)sb_size <= (size_t)bb_size \ |
|
67 |
- && sb >= bb && sb + sb_size <= bb + bb_size && sb + sb_size >= bb) |
|
66 |
+ ((bb_size) > 0 && (sb_size) >= 0 && (size_t)(sb_size) <= (size_t)(bb_size) \ |
|
67 |
+ && (sb) >= (bb) && ((sb) + (sb_size)) <= ((bb) + (bb_size)) && ((sb) + (sb_size)) >= (bb) && (sb) < ((bb) + (bb_size))) |
|
68 | 68 |
|
69 | 69 |
#define CLI_MAX_ALLOCATION 184549376 |
70 | 70 |
|
... | ... |
@@ -1280,7 +1280,7 @@ int cli_url_canon(const char *inurl, size_t len, char *urlbuff, size_t dest_len, |
1280 | 1280 |
*p = '\0'; |
1281 | 1281 |
|
1282 | 1282 |
p = host_begin; |
1283 |
- while (p < urlend && p+2 < url + dest_len) { |
|
1283 |
+ while (p < urlend && p+2 < url + dest_len && urlend < urlbuff+dest_len) { |
|
1284 | 1284 |
unsigned char c = *p; |
1285 | 1285 |
if (c <= 32 || c >= 127 || c == '%' || c == '#') { |
1286 | 1286 |
/* convert non-ascii characters back to % escaped */ |