1 |
From 6bcc779a17a2d286e4c3cb958ddf369cc01cb42c Mon Sep 17 00:00:00 2001 |
2 |
From: Allen Winter <allen.winter@kdab.com> |
3 |
Date: Thu, 15 Dec 2016 18:17:10 -0500 |
4 |
Subject: [PATCH] icaltimezone.c - fix heap-use-after-free caused by |
5 |
fetch_lat_long_from_string() issue#262 |
6 |
|
7 |
Backported by Mike Gorse <mgorse@suse.com> |
8 |
--- |
9 |
diff -urp libical-1.0.1.orig/src/libical/icaltimezone.c libical-1.0.1/src/libical/icaltimezone.c |
10 |
--- libical-1.0.1.orig/src/libical/icaltimezone.c 2014-10-09 10:07:05.000000000 -0500 |
11 |
+++ libical-1.0.1/src/libical/icaltimezone.c 2017-06-19 16:08:11.425132052 -0500 |
12 |
@@ -49,6 +49,7 @@ |
13 |
#include <pthread.h> |
14 |
static pthread_mutex_t builtin_mutex = PTHREAD_MUTEX_INITIALIZER; |
15 |
#endif |
16 |
+#include <stddef.h> /* for ptrdiff_t */ |
17 |
|
18 |
#ifdef WIN32 |
19 |
#ifndef _WIN32_WCE |
20 |
@@ -1610,16 +1611,16 @@ fetch_lat_long_from_string (const char |
21 |
|
22 |
/* We need to parse the latitude/longitude co-ordinates and location fields */ |
23 |
sptr = (char *) str; |
24 |
- while (*sptr != '\t') |
25 |
+ while (*sptr != '\t' && *sptr != '\0') |
26 |
sptr++; |
27 |
temp = ++sptr; |
28 |
- while (*sptr != '\t') |
29 |
+ while (*sptr != '\t' && *sptr != '\0') |
30 |
sptr++; |
31 |
len = sptr-temp; |
32 |
lat = (char *) malloc (len + 1); |
33 |
lat = strncpy (lat, temp, len); |
34 |
lat [len] = '\0'; |
35 |
- while (*sptr != '\t') |
36 |
+ while (*sptr != '\t' && *sptr != '\0') |
37 |
sptr++; |
38 |
|
39 |
loc = ++sptr; |