commit 60b8a7ea0737c07d88443bd9628fe0b460cf1d8d · pyrox.dev/nixpkgs

+384

pkgs/tools/compression/bsdiff/CVE-2020-14315.patch

···

       1
       1
       +
       Description: patch for CVE-2020-14315

     

       2
       2
       +
        A memory corruption vulnerability is present in bspatch as shipped in

     

       3
       3
       +
        Colin Percival’s bsdiff tools version 4.3. Insufficient checks when

     

       4
       4
       +
        handling external inputs allows an attacker to bypass the sanity checks

     

       5
       5
       +
        in place and write out of a dynamically allocated buffer boundaries.

     

       6
       6
       +
       Source: https://svnweb.freebsd.org/base/head/usr.bin/bsdiff/bspatch/bspatch.c?revision=352742&view=co

     

       7
       7
       +
       Author: tony mancill <tmancill@debian.org>

     

       8
       8
       +
       Comment: The patch was created by comparing the Debian sources to the

     

       9
       9
       +
        "Confirmed Patched Version" [1] documented in the

     

       10
       10
       +
        X41 D-SEC GmbH Security Advisory: X41-2020-006 [2].

     

       11
       11
       +
        References to FreeBSD capsicum have been dropped.  Definitions for

     

       12
       12
       +
        TYPE_MINIMUM and TYPE_MAXIMUM have been borrowed from the Debian

     

       13
       13
       +
        coreutils package sources but originate in gnulib [3] and are used to

     

       14
       14
       +
        define OFF_MIN and OFF_MAX (limits of off_t). Whitespace changes from

     

       15
       15
       +
        the confirmed patched version are also included and keep the difference

     

       16
       16
       +
        between the Debian sources and the confirmed patched version minimal.

     

       17
       17
       +
        .

     

       18
       18
       +
        [1] https://svnweb.freebsd.org/base/head/usr.bin/bsdiff/bspatch/bspatch.c?revision=352742&view=co

     

       19
       19
       +
        [2] https://www.openwall.com/lists/oss-security/2020/07/09/2

     

       20
       20
       +
        [3] https://www.gnu.org/software/gnulib/

     

       21
       21
       +
       Last-Update: 2021-04-03

     

       22
       22
       +
       Forwarded: not-needed

     

       23
       23
       +
       Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964796

     

       24
       24
       +
       

     

       25
       25
       +
       --- a/bspatch.c

     

       26
       26
       +
       +++ b/bspatch.c

     

       27
       27
       +
       @@ -1,4 +1,6 @@

     

       28
       28
       +
        /*-

     

       29
       29
       +
       + * SPDX-License-Identifier: BSD-2-Clause-FreeBSD

     

       30
       30
       +
       + *

     

       31
       31
       +
         * Copyright 2003-2005 Colin Percival

     

       32
       32
       +
         * All rights reserved

     

       33
       33
       +
         *

     

       34
       34
       +
       @@ -24,56 +26,148 @@

     

       35
       35
       +
         * POSSIBILITY OF SUCH DAMAGE.

     

       36
       36
       +
         */

     

       37
       37
       +
        

     

       38
       38
       +
       +#include <sys/cdefs.h>

     

       39
       39
       +
        #if 0

     

       40
       40
       +
       -__FBSDID("$FreeBSD: src/usr.bin/bsdiff/bspatch/bspatch.c,v 1.1 2005/08/06 01:59:06 cperciva Exp $");

     

       41
       41
       +
       +__FBSDID("$FreeBSD$");

     

       42
       42
       +
        #endif

     

       43
       43
       +
        

     

       44
       44
       +
        #include <bzlib.h>

     

       45
       45
       +
       -#include <stdlib.h>

     

       46
       46
       +
       +#include <err.h>

     

       47
       47
       +
       +#include <fcntl.h>

     

       48
       48
       +
       +#include <libgen.h>

     

       49
       49
       +
       +#include <limits.h>

     

       50
       50
       +
       +#include <stdint.h>

     

       51
       51
       +
        #include <stdio.h>

     

       52
       52
       +
       +#include <stdlib.h>

     

       53
       53
       +
        #include <string.h>

     

       54
       54
       +
       -#include <err.h>

     

       55
       55
       +
        #include <unistd.h>

     

       56
       56
       +
       -#include <fcntl.h>

     

       57
       57
       +
       +

     

       58
       58
       +
       +#ifndef O_BINARY

     

       59
       59
       +
       +#define O_BINARY 0

     

       60
       60
       +
       +#endif

     

       61
       61
       +
       +#define HEADER_SIZE 32

     

       62
       62
       +
       +

     

       63
       63
       +
       +/* TYPE_MINIMUM and TYPE_MAXIMUM taken from coreutils */

     

       64
       64
       +
       +#ifndef TYPE_MINIMUM

     

       65
       65
       +
       +#define TYPE_MINIMUM(t) \

     

       66
       66
       +
       +  ((t) ((t) 0 < (t) -1 ? (t) 0 : ~ TYPE_MAXIMUM (t)))

     

       67
       67
       +
       +#endif

     

       68
       68
       +
       +#ifndef TYPE_MAXIMUM

     

       69
       69
       +
       +#define TYPE_MAXIMUM(t) \

     

       70
       70
       +
       +  ((t) ((t) 0 < (t) -1 \

     

       71
       71
       +
       +        ? (t) -1 \

     

       72
       72
       +
       +        : ((((t) 1 << (sizeof (t) * CHAR_BIT - 2)) - 1) * 2 + 1)))

     

       73
       73
       +
       +#endif

     

       74
       74
       +
       +

     

       75
       75
       +
       +#ifndef OFF_MAX

     

       76
       76
       +
       +#define OFF_MAX TYPE_MAXIMUM(off_t)

     

       77
       77
       +
       +#endif

     

       78
       78
       +
       +

     

       79
       79
       +
       +#ifndef OFF_MIN

     

       80
       80
       +
       +#define OFF_MIN TYPE_MINIMUM(off_t)

     

       81
       81
       +
       +#endif

     

       82
       82
       +
       +

     

       83
       83
       +
       +static char *newfile;

     

       84
       84
       +
       +static int dirfd = -1;

     

       85
       85
       +
       +

     

       86
       86
       +
       +static void

     

       87
       87
       +
       +exit_cleanup(void)

     

       88
       88
       +
       +{

     

       89
       89
       +
       +

     

       90
       90
       +
       +	if (dirfd != -1 && newfile != NULL)

     

       91
       91
       +
       +		if (unlinkat(dirfd, newfile, 0))

     

       92
       92
       +
       +			warn("unlinkat");

     

       93
       93
       +
       +}

     

       94
       94
       +
       +

     

       95
       95
       +
       +static inline off_t

     

       96
       96
       +
       +add_off_t(off_t a, off_t b)

     

       97
       97
       +
       +{

     

       98
       98
       +
       +	off_t result;

     

       99
       99
       +
       +

     

       100
       100
       +
       +#if __GNUC__ >= 5

     

       101
       101
       +
       +	if (__builtin_add_overflow(a, b, &result))

     

       102
       102
       +
       +		errx(1, "Corrupt patch");

     

       103
       103
       +
       +#else

     

       104
       104
       +
       +	if ((b > 0 && a > OFF_MAX - b) || (b < 0 && a < OFF_MIN - b))

     

       105
       105
       +
       +		errx(1, "Corrupt patch");

     

       106
       106
       +
       +	result = a + b;

     

       107
       107
       +
       +#endif

     

       108
       108
       +
       +	return result;

     

       109
       109
       +
       +}

     

       110
       110
       +
        

     

       111
       111
       +
        static off_t offtin(u_char *buf)

     

       112
       112
       +
        {

     

       113
       113
       +
        	off_t y;

     

       114
       114
       +
        

     

       115
       115
       +
       -	y=buf[7]&0x7F;

     

       116
       116
       +
       -	y=y*256;y+=buf[6];

     

       117
       117
       +
       -	y=y*256;y+=buf[5];

     

       118
       118
       +
       -	y=y*256;y+=buf[4];

     

       119
       119
       +
       -	y=y*256;y+=buf[3];

     

       120
       120
       +
       -	y=y*256;y+=buf[2];

     

       121
       121
       +
       -	y=y*256;y+=buf[1];

     

       122
       122
       +
       -	y=y*256;y+=buf[0];

     

       123
       123
       +
       +	y = buf[7] & 0x7F;

     

       124
       124
       +
       +	y = y * 256; y += buf[6];

     

       125
       125
       +
       +	y = y * 256; y += buf[5];

     

       126
       126
       +
       +	y = y * 256; y += buf[4];

     

       127
       127
       +
       +	y = y * 256; y += buf[3];

     

       128
       128
       +
       +	y = y * 256; y += buf[2];

     

       129
       129
       +
       +	y = y * 256; y += buf[1];

     

       130
       130
       +
       +	y = y * 256; y += buf[0];

     

       131
       131
       +
        

     

       132
       132
       +
       -	if(buf[7]&0x80) y=-y;

     

       133
       133
       +
       +	if (buf[7] & 0x80)

     

       134
       134
       +
       +		y = -y;

     

       135
       135
       +
        

     

       136
       136
       +
       -	return y;

     

       137
       137
       +
       +	return (y);

     

       138
       138
       +
        }

     

       139
       139
       +
        

     

       140
       140
       +
       -int main(int argc,char * argv[])

     

       141
       141
       +
       +static void

     

       142
       142
       +
       +usage(void)

     

       143
       143
       +
        {

     

       144
       144
       +
       -	FILE * f, * cpf, * dpf, * epf;

     

       145
       145
       +
       -	BZFILE * cpfbz2, * dpfbz2, * epfbz2;

     

       146
       146
       +
       +

     

       147
       147
       +
       +	fprintf(stderr, "usage: bspatch oldfile newfile patchfile\n");

     

       148
       148
       +
       +	exit(1);

     

       149
       149
       +
       +}

     

       150
       150
       +
       +

     

       151
       151
       +
       +int main(int argc, char *argv[])

     

       152
       152
       +
       +{

     

       153
       153
       +
       +	FILE *f, *cpf, *dpf, *epf;

     

       154
       154
       +
       +	BZFILE *cpfbz2, *dpfbz2, *epfbz2;

     

       155
       155
       +
       +	char *directory, *namebuf;

     

       156
       156
       +
        	int cbz2err, dbz2err, ebz2err;

     

       157
       157
       +
       -	int fd;

     

       158
       158
       +
       -	ssize_t oldsize,newsize;

     

       159
       159
       +
       -	ssize_t bzctrllen,bzdatalen;

     

       160
       160
       +
       -	u_char header[32],buf[8];

     

       161
       161
       +
       +	int newfd, oldfd;

     

       162
       162
       +
       +	off_t oldsize, newsize;

     

       163
       163
       +
       +	off_t bzctrllen, bzdatalen;

     

       164
       164
       +
       +	u_char header[HEADER_SIZE], buf[8];

     

       165
       165
       +
        	u_char *old, *new;

     

       166
       166
       +
       -	off_t oldpos,newpos;

     

       167
       167
       +
       +	off_t oldpos, newpos;

     

       168
       168
       +
        	off_t ctrl[3];

     

       169
       169
       +
       -	off_t lenread;

     

       170
       170
       +
       -	off_t i;

     

       171
       171
       +
       +	off_t i, lenread, offset;

     

       172
       172
       +
        

     

       173
       173
       +
       -	if(argc!=4) errx(1,"usage: %s oldfile newfile patchfile\n",argv[0]);

     

       174
       174
       +
       +	if (argc != 4)

     

       175
       175
       +
       +		usage();

     

       176
       176
       +
        

     

       177
       177
       +
        	/* Open patch file */

     

       178
       178
       +
       -	if ((f = fopen(argv[3], "r")) == NULL)

     

       179
       179
       +
       +	if ((f = fopen(argv[3], "rb")) == NULL)

     

       180
       180
       +
       +		err(1, "fopen(%s)", argv[3]);

     

       181
       181
       +
       +	/* Open patch file for control block */

     

       182
       182
       +
       +	if ((cpf = fopen(argv[3], "rb")) == NULL)

     

       183
       183
       +
       +		err(1, "fopen(%s)", argv[3]);

     

       184
       184
       +
       +	/* open patch file for diff block */

     

       185
       185
       +
       +	if ((dpf = fopen(argv[3], "rb")) == NULL)

     

       186
       186
       +
        		err(1, "fopen(%s)", argv[3]);

     

       187
       187
       +
       +	/* open patch file for extra block */

     

       188
       188
       +
       +	if ((epf = fopen(argv[3], "rb")) == NULL)

     

       189
       189
       +
       +		err(1, "fopen(%s)", argv[3]);

     

       190
       190
       +
       +	/* open oldfile */

     

       191
       191
       +
       +	if ((oldfd = open(argv[1], O_RDONLY | O_BINARY, 0)) < 0)

     

       192
       192
       +
       +		err(1, "open(%s)", argv[1]);

     

       193
       193
       +
       +	/* open directory where we'll write newfile */

     

       194
       194
       +
       +	if ((namebuf = strdup(argv[2])) == NULL ||

     

       195
       195
       +
       +	    (directory = dirname(namebuf)) == NULL ||

     

       196
       196
       +
       +	    (dirfd = open(directory, O_DIRECTORY)) < 0)

     

       197
       197
       +
       +		err(1, "open %s", argv[2]);

     

       198
       198
       +
       +	free(namebuf);

     

       199
       199
       +
       +	if ((newfile = basename(argv[2])) == NULL)

     

       200
       200
       +
       +		err(1, "basename");

     

       201
       201
       +
       +	/* open newfile */

     

       202
       202
       +
       +	if ((newfd = openat(dirfd, newfile,

     

       203
       203
       +
       +	    O_CREAT | O_TRUNC | O_WRONLY | O_BINARY, 0666)) < 0)

     

       204
       204
       +
       +		err(1, "open(%s)", argv[2]);

     

       205
       205
       +
       +	atexit(exit_cleanup);

     

       206
       206
       +
        

     

       207
       207
       +
        	/*

     

       208
       208
       +
        	File format:

     

       209
       209
       +
       @@ -90,104 +185,104 @@

     

       210
       210
       +
        	*/

     

       211
       211
       +
        

     

       212
       212
       +
        	/* Read header */

     

       213
       213
       +
       -	if (fread(header, 1, 32, f) < 32) {

     

       214
       214
       +
       +	if (fread(header, 1, HEADER_SIZE, f) < HEADER_SIZE) {

     

       215
       215
       +
        		if (feof(f))

     

       216
       216
       +
       -			errx(1, "Corrupt patch\n");

     

       217
       217
       +
       +			errx(1, "Corrupt patch");

     

       218
       218
       +
        		err(1, "fread(%s)", argv[3]);

     

       219
       219
       +
        	}

     

       220
       220
       +
        

     

       221
       221
       +
        	/* Check for appropriate magic */

     

       222
       222
       +
        	if (memcmp(header, "BSDIFF40", 8) != 0)

     

       223
       223
       +
       -		errx(1, "Corrupt patch\n");

     

       224
       224
       +
       +		errx(1, "Corrupt patch");

     

       225
       225
       +
        

     

       226
       226
       +
        	/* Read lengths from header */

     

       227
       227
       +
       -	bzctrllen=offtin(header+8);

     

       228
       228
       +
       -	bzdatalen=offtin(header+16);

     

       229
       229
       +
       -	newsize=offtin(header+24);

     

       230
       230
       +
       -	if((bzctrllen<0) || (bzdatalen<0) || (newsize<0))

     

       231
       231
       +
       -		errx(1,"Corrupt patch\n");

     

       232
       232
       +
       +	bzctrllen = offtin(header + 8);

     

       233
       233
       +
       +	bzdatalen = offtin(header + 16);

     

       234
       234
       +
       +	newsize = offtin(header + 24);

     

       235
       235
       +
       +	if (bzctrllen < 0 || bzctrllen > OFF_MAX - HEADER_SIZE ||

     

       236
       236
       +
       +	    bzdatalen < 0 || bzctrllen + HEADER_SIZE > OFF_MAX - bzdatalen ||

     

       237
       237
       +
       +	    newsize < 0 || newsize > SSIZE_MAX)

     

       238
       238
       +
       +		errx(1, "Corrupt patch");

     

       239
       239
       +
        

     

       240
       240
       +
        	/* Close patch file and re-open it via libbzip2 at the right places */

     

       241
       241
       +
        	if (fclose(f))

     

       242
       242
       +
        		err(1, "fclose(%s)", argv[3]);

     

       243
       243
       +
       -	if ((cpf = fopen(argv[3], "r")) == NULL)

     

       244
       244
       +
       -		err(1, "fopen(%s)", argv[3]);

     

       245
       245
       +
       -	if (fseeko(cpf, 32, SEEK_SET))

     

       246
       246
       +
       -		err(1, "fseeko(%s, %lld)", argv[3],

     

       247
       247
       +
       -		    (long long)32);

     

       248
       248
       +
       +	offset = HEADER_SIZE;

     

       249
       249
       +
       +	if (fseeko(cpf, offset, SEEK_SET))

     

       250
       250
       +
       +		err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset);

     

       251
       251
       +
        	if ((cpfbz2 = BZ2_bzReadOpen(&cbz2err, cpf, 0, 0, NULL, 0)) == NULL)

     

       252
       252
       +
        		errx(1, "BZ2_bzReadOpen, bz2err = %d", cbz2err);

     

       253
       253
       +
       -	if ((dpf = fopen(argv[3], "r")) == NULL)

     

       254
       254
       +
       -		err(1, "fopen(%s)", argv[3]);

     

       255
       255
       +
       -	if (fseeko(dpf, 32 + bzctrllen, SEEK_SET))

     

       256
       256
       +
       -		err(1, "fseeko(%s, %lld)", argv[3],

     

       257
       257
       +
       -		    (long long)(32 + bzctrllen));

     

       258
       258
       +
       +	offset = add_off_t(offset, bzctrllen);

     

       259
       259
       +
       +	if (fseeko(dpf, offset, SEEK_SET))

     

       260
       260
       +
       +		err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset);

     

       261
       261
       +
        	if ((dpfbz2 = BZ2_bzReadOpen(&dbz2err, dpf, 0, 0, NULL, 0)) == NULL)

     

       262
       262
       +
        		errx(1, "BZ2_bzReadOpen, bz2err = %d", dbz2err);

     

       263
       263
       +
       -	if ((epf = fopen(argv[3], "r")) == NULL)

     

       264
       264
       +
       -		err(1, "fopen(%s)", argv[3]);

     

       265
       265
       +
       -	if (fseeko(epf, 32 + bzctrllen + bzdatalen, SEEK_SET))

     

       266
       266
       +
       -		err(1, "fseeko(%s, %lld)", argv[3],

     

       267
       267
       +
       -		    (long long)(32 + bzctrllen + bzdatalen));

     

       268
       268
       +
       +	offset = add_off_t(offset, bzdatalen);

     

       269
       269
       +
       +	if (fseeko(epf, offset, SEEK_SET))

     

       270
       270
       +
       +		err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset);

     

       271
       271
       +
        	if ((epfbz2 = BZ2_bzReadOpen(&ebz2err, epf, 0, 0, NULL, 0)) == NULL)

     

       272
       272
       +
        		errx(1, "BZ2_bzReadOpen, bz2err = %d", ebz2err);

     

       273
       273
       +
        

     

       274
       274
       +
       -	if(((fd=open(argv[1],O_RDONLY,0))<0) ||

     

       275
       275
       +
       -		((oldsize=lseek(fd,0,SEEK_END))==-1) ||

     

       276
       276
       +
       -		((old=malloc(oldsize+1))==NULL) ||

     

       277
       277
       +
       -		(lseek(fd,0,SEEK_SET)!=0) ||

     

       278
       278
       +
       -		(read(fd,old,oldsize)!=oldsize) ||

     

       279
       279
       +
       -		(close(fd)==-1)) err(1,"%s",argv[1]);

     

       280
       280
       +
       -	if((new=malloc(newsize+1))==NULL) err(1,NULL);

     

       281
       281
       +
       -

     

       282
       282
       +
       -	oldpos=0;newpos=0;

     

       283
       283
       +
       -	while(newpos<newsize) {

     

       284
       284
       +
       +	if ((oldsize = lseek(oldfd, 0, SEEK_END)) == -1 ||

     

       285
       285
       +
       +	    oldsize > SSIZE_MAX ||

     

       286
       286
       +
       +	    (old = malloc(oldsize)) == NULL ||

     

       287
       287
       +
       +	    lseek(oldfd, 0, SEEK_SET) != 0 ||

     

       288
       288
       +
       +	    read(oldfd, old, oldsize) != oldsize ||

     

       289
       289
       +
       +	    close(oldfd) == -1)

     

       290
       290
       +
       +		err(1, "%s", argv[1]);

     

       291
       291
       +
       +	if ((new = malloc(newsize)) == NULL)

     

       292
       292
       +
       +		err(1, NULL);

     

       293
       293
       +
       +

     

       294
       294
       +
       +	oldpos = 0;

     

       295
       295
       +
       +	newpos = 0;

     

       296
       296
       +
       +	while (newpos < newsize) {

     

       297
       297
       +
        		/* Read control data */

     

       298
       298
       +
       -		for(i=0;i<=2;i++) {

     

       299
       299
       +
       +		for (i = 0; i <= 2; i++) {

     

       300
       300
       +
        			lenread = BZ2_bzRead(&cbz2err, cpfbz2, buf, 8);

     

       301
       301
       +
        			if ((lenread < 8) || ((cbz2err != BZ_OK) &&

     

       302
       302
       +
        			    (cbz2err != BZ_STREAM_END)))

     

       303
       303
       +
       -				errx(1, "Corrupt patch\n");

     

       304
       304
       +
       -			ctrl[i]=offtin(buf);

     

       305
       305
       +
       -		};

     

       306
       306
       +
       +				errx(1, "Corrupt patch");

     

       307
       307
       +
       +			ctrl[i] = offtin(buf);

     

       308
       308
       +
       +		}

     

       309
       309
       +
        

     

       310
       310
       +
        		/* Sanity-check */

     

       311
       311
       +
       -		if ((ctrl[0] < 0) || (ctrl[1] < 0))

     

       312
       312
       +
       -			errx(1,"Corrupt patch\n");

     

       313
       313
       +
       +		if (ctrl[0] < 0 || ctrl[0] > INT_MAX ||

     

       314
       314
       +
       +		    ctrl[1] < 0 || ctrl[1] > INT_MAX)

     

       315
       315
       +
       +			errx(1, "Corrupt patch");

     

       316
       316
       +
        

     

       317
       317
       +
        		/* Sanity-check */

     

       318
       318
       +
       -		if(newpos+ctrl[0]>newsize)

     

       319
       319
       +
       -			errx(1,"Corrupt patch\n");

     

       320
       320
       +
       +		if (add_off_t(newpos, ctrl[0]) > newsize)

     

       321
       321
       +
       +			errx(1, "Corrupt patch");

     

       322
       322
       +
        

     

       323
       323
       +
        		/* Read diff string */

     

       324
       324
       +
        		lenread = BZ2_bzRead(&dbz2err, dpfbz2, new + newpos, ctrl[0]);

     

       325
       325
       +
        		if ((lenread < ctrl[0]) ||

     

       326
       326
       +
        		    ((dbz2err != BZ_OK) && (dbz2err != BZ_STREAM_END)))

     

       327
       327
       +
       -			errx(1, "Corrupt patch\n");

     

       328
       328
       +
       +			errx(1, "Corrupt patch");

     

       329
       329
       +
        

     

       330
       330
       +
        		/* Add old data to diff string */

     

       331
       331
       +
       -		for(i=0;i<ctrl[0];i++)

     

       332
       332
       +
       -			if((oldpos+i>=0) && (oldpos+i<oldsize))

     

       333
       333
       +
       -				new[newpos+i]+=old[oldpos+i];

     

       334
       334
       +
       +		for (i = 0; i < ctrl[0]; i++)

     

       335
       335
       +
       +			if (add_off_t(oldpos, i) < oldsize)

     

       336
       336
       +
       +				new[newpos + i] += old[oldpos + i];

     

       337
       337
       +
        

     

       338
       338
       +
        		/* Adjust pointers */

     

       339
       339
       +
       -		newpos+=ctrl[0];

     

       340
       340
       +
       -		oldpos+=ctrl[0];

     

       341
       341
       +
       +		newpos = add_off_t(newpos, ctrl[0]);

     

       342
       342
       +
       +		oldpos = add_off_t(oldpos, ctrl[0]);

     

       343
       343
       +
        

     

       344
       344
       +
        		/* Sanity-check */

     

       345
       345
       +
       -		if(newpos+ctrl[1]>newsize)

     

       346
       346
       +
       -			errx(1,"Corrupt patch\n");

     

       347
       347
       +
       +		if (add_off_t(newpos, ctrl[1]) > newsize)

     

       348
       348
       +
       +			errx(1, "Corrupt patch");

     

       349
       349
       +
        

     

       350
       350
       +
        		/* Read extra string */

     

       351
       351
       +
        		lenread = BZ2_bzRead(&ebz2err, epfbz2, new + newpos, ctrl[1]);

     

       352
       352
       +
        		if ((lenread < ctrl[1]) ||

     

       353
       353
       +
        		    ((ebz2err != BZ_OK) && (ebz2err != BZ_STREAM_END)))

     

       354
       354
       +
       -			errx(1, "Corrupt patch\n");

     

       355
       355
       +
       +			errx(1, "Corrupt patch");

     

       356
       356
       +
        

     

       357
       357
       +
        		/* Adjust pointers */

     

       358
       358
       +
       -		newpos+=ctrl[1];

     

       359
       359
       +
       -		oldpos+=ctrl[2];

     

       360
       360
       +
       -	};

     

       361
       361
       +
       +		newpos = add_off_t(newpos, ctrl[1]);

     

       362
       362
       +
       +		oldpos = add_off_t(oldpos, ctrl[2]);

     

       363
       363
       +
       +	}

     

       364
       364
       +
        

     

       365
       365
       +
        	/* Clean up the bzip2 reads */

     

       366
       366
       +
        	BZ2_bzReadClose(&cbz2err, cpfbz2);

     

       367
       367
       +
       @@ -197,12 +292,13 @@

     

       368
       368
       +
        		err(1, "fclose(%s)", argv[3]);

     

       369
       369
       +
        

     

       370
       370
       +
        	/* Write the new file */

     

       371
       371
       +
       -	if(((fd=open(argv[2],O_CREAT|O_TRUNC|O_WRONLY,0666))<0) ||

     

       372
       372
       +
       -		(write(fd,new,newsize)!=newsize) || (close(fd)==-1))

     

       373
       373
       +
       -		err(1,"%s",argv[2]);

     

       374
       374
       +
       +	if (write(newfd, new, newsize) != newsize || close(newfd) == -1)

     

       375
       375
       +
       +		err(1, "%s", argv[2]);

     

       376
       376
       +
       +	/* Disable atexit cleanup */

     

       377
       377
       +
       +	newfile = NULL;

     

       378
       378
       +
        

     

       379
       379
       +
        	free(new);

     

       380
       380
       +
        	free(old);

     

       381
       381
       +
        

     

       382
       382
       +
       -	return 0;

     

       383
       383
       +
       +	return (0);

     

       384
       384
       +
        }

+22 -2

pkgs/tools/compression/bsdiff/default.nix

···

       1
       1
       -
       { lib, stdenv, fetchurl, bzip2 }:

     

       1
       1
       +
       { lib, stdenv, fetchurl, fetchpatch, bzip2 }:

     

       2
       2
        
       

     

       3
       3
        
       stdenv.mkDerivation rec {

     

       4
       4
        
         pname = "bsdiff";

     
···

       10
       10
        
         };

     

       11
       11
        
       

     

       12
       12
        
         buildInputs = [ bzip2 ];

     

       13
       13
       -
         patches = [ ./include-systypes.patch ];

     

       13
       13
       +
         patches = [

     

       14
       14
       +
           (fetchpatch {

     

       15
       15
       +
             url = "https://sources.debian.org/data/main/b/bsdiff/4.3-22/debian/patches/20-CVE-2014-9862.patch";

     

       16
       16
       +
             sha256 = "sha256-3UuUfNvShQ8fLqxCKUTb/n4BmjL4+Nl7aEqCxYrrERQ=";

     

       17
       17
       +
           })

     

       18
       18
       +
           ./CVE-2020-14315.patch

     

       19
       19
       +
           ./include-systypes.patch

     

       20
       20
       +
         ] ++ lib.optional stdenv.hostPlatform.isLinux [

     

       21
       21
       +
           (fetchpatch {

     

       22
       22
       +
             url = "https://sources.debian.org/data/main/b/bsdiff/4.3-22/debian/patches/30-bug-632585-mmap-src-file-instead-of-malloc-read-it.patch";

     

       23
       23
       +
             sha256 = "sha256-esbhz2/efUiuQDuF7LGfSeEn3/f1WbqCxQpTs2A0ulI=";

     

       24
       24
       +
           })

     

       25
       25
       +
           (fetchpatch {

     

       26
       26
       +
             url = "https://sources.debian.org/data/main/b/bsdiff/4.3-22/debian/patches/31-bug-632585-mmap-dst-file-instead-of-malloc-read-it.patch";

     

       27
       27
       +
             sha256 = "sha256-Of4aOcI0rsgdRzPqyw2VRn2p9wQuo3hdlgDTBdXGzoc=";

     

       28
       28
       +
           })

     

       29
       29
       +
           (fetchpatch {

     

       30
       30
       +
             url = "https://sources.debian.org/data/main/b/bsdiff/4.3-22/debian/patches/32-bug-632585-use-int32_t-instead-off_t-for-file-size.patch";

     

       31
       31
       +
             sha256 = "sha256-SooFnFK4uKNXvXQb/LEcH8GocnRtkryExI4b3BZTsAY=";

     

       32
       32
       +
           })

     

       33
       33
       +
         ];

     

       14
       34
        
       

     

       15
       35
        
         buildPhase = ''

     

       16
       36
        
           $CC -O3 -lbz2 bspatch.c -o bspatch