| 1 |
From 6bcc779a17a2d286e4c3cb958ddf369cc01cb42c Mon Sep 17 00:00:00 2001 |
| 2 |
From: Allen Winter <allen.winter@kdab.com> |
| 3 |
Date: Thu, 15 Dec 2016 18:17:10 -0500 |
| 4 |
Subject: [PATCH] icaltimezone.c - fix heap-use-after-free caused by |
| 5 |
fetch_lat_long_from_string() issue#262 |
| 6 |
|
| 7 |
Backported by Mike Gorse <mgorse@suse.com> |
| 8 |
--- |
| 9 |
diff -urp libical-1.0.1.orig/src/libical/icaltimezone.c libical-1.0.1/src/libical/icaltimezone.c |
| 10 |
--- libical-1.0.1.orig/src/libical/icaltimezone.c 2014-10-09 10:07:05.000000000 -0500 |
| 11 |
+++ libical-1.0.1/src/libical/icaltimezone.c 2017-06-19 16:08:11.425132052 -0500 |
| 12 |
@@ -49,6 +49,7 @@ |
| 13 |
#include <pthread.h> |
| 14 |
static pthread_mutex_t builtin_mutex = PTHREAD_MUTEX_INITIALIZER; |
| 15 |
#endif |
| 16 |
+#include <stddef.h> /* for ptrdiff_t */ |
| 17 |
|
| 18 |
#ifdef WIN32 |
| 19 |
#ifndef _WIN32_WCE |
| 20 |
@@ -1610,16 +1611,16 @@ fetch_lat_long_from_string (const char |
| 21 |
|
| 22 |
/* We need to parse the latitude/longitude co-ordinates and location fields */ |
| 23 |
sptr = (char *) str; |
| 24 |
- while (*sptr != '\t') |
| 25 |
+ while (*sptr != '\t' && *sptr != '\0') |
| 26 |
sptr++; |
| 27 |
temp = ++sptr; |
| 28 |
- while (*sptr != '\t') |
| 29 |
+ while (*sptr != '\t' && *sptr != '\0') |
| 30 |
sptr++; |
| 31 |
len = sptr-temp; |
| 32 |
lat = (char *) malloc (len + 1); |
| 33 |
lat = strncpy (lat, temp, len); |
| 34 |
lat [len] = '\0'; |
| 35 |
- while (*sptr != '\t') |
| 36 |
+ while (*sptr != '\t' && *sptr != '\0') |
| 37 |
sptr++; |
| 38 |
|
| 39 |
loc = ++sptr; |
Parent Directory
| 
Revision Log