current/SOURCES/CVE-2018-19387.patch

From 749f67b7d801eed03345fef9c04206fbd079c3cb Mon Sep 17 00:00:00 2001
From: nicm <nicm>
Date: Mon, 19 Nov 2018 13:35:40 +0000
Subject: [PATCH] evbuffer_new and bufferevent_new can both fail (when malloc
 fails) and return NULL. GitHub issue 1547.

---
 cmd-pipe-pane.c  | 2 ++
 control-notify.c | 2 ++
 format.c         | 4 ++++
 input.c          | 2 ++
 job.c            | 2 ++
 server-client.c  | 6 ++++++
 tty.c            | 4 ++++
 window.c         | 2 ++
 8 files changed, 24 insertions(+)

diff --git a/cmd-pipe-pane.c b/cmd-pipe-pane.c
index 199dd5754..4650959ce 100644
--- a/cmd-pipe-pane.c
+++ b/cmd-pipe-pane.c
@@ -166,6 +166,8 @@ cmd_pipe_pane_exec(struct cmd *self, struct cmdq_item *item)
                    cmd_pipe_pane_write_callback,
                    cmd_pipe_pane_error_callback,
                    wp);
+               if (wp->pipe_event == NULL)
+                       fatalx("out of memory");
                if (out)
                        bufferevent_enable(wp->pipe_event, EV_WRITE);
                if (in)
diff --git a/control-notify.c b/control-notify.c
index 492914830..7b28e8f0a 100644
--- a/control-notify.c
+++ b/control-notify.c
@@ -47,6 +47,8 @@ control_notify_input(struct client *c, struct window_pane *wp,
         */
        if (winlink_find_by_window(&c->session->windows, wp->window) != NULL) {
                message = evbuffer_new();
+               if (message == NULL)
+                       fatalx("out of memory");
                evbuffer_add_printf(message, "%%output %%%u ", wp->id);
                for (i = 0; i < len; i++) {
                        if (buf[i] < ' ' || buf[i] == '\\')
diff --git a/format.c b/format.c
index 213654579..77f5f59d9 100644
--- a/format.c
+++ b/format.c
@@ -573,6 +573,8 @@ format_cb_pane_tabs(struct format_tree *ft, struct format_entry *fe)
                return;
 
        buffer = evbuffer_new();
+       if (buffer == NULL)
+               fatalx("out of memory");
        for (i = 0; i < wp->base.grid->sx; i++) {
                if (!bit_test(wp->base.tabs, i))
                        continue;
@@ -603,6 +605,8 @@ format_cb_session_group_list(struct format_tree *ft, struct format_entry *fe)
                return;
 
        buffer = evbuffer_new();
+       if (buffer == NULL)
+               fatalx("out of memory");
        TAILQ_FOREACH(loop, &sg->sessions, gentry) {
                if (EVBUFFER_LENGTH(buffer) > 0)
                        evbuffer_add(buffer, ",", 1);
diff --git a/input.c b/input.c
index 41cdfb70f..d9f419fe2 100644
--- a/input.c
+++ b/input.c
@@ -767,6 +767,8 @@ input_init(struct window_pane *wp)
        ictx->input_buf = xmalloc(INPUT_BUF_START);
 
        ictx->since_ground = evbuffer_new();
+       if (ictx->since_ground == NULL)
+               fatalx("out of memory");
 
        evtimer_set(&ictx->timer, input_timer_callback, ictx);
 
diff --git a/job.c b/job.c
index 66315bd2c..73f62359f 100644
--- a/job.c
+++ b/job.c
@@ -155,6 +155,8 @@ job_run(const char *cmd, struct session *s, const char *cwd,
 
        job->event = bufferevent_new(job->fd, job_read_callback,
            job_write_callback, job_error_callback, job);
+       if (job->event == NULL)
+               fatalx("out of memory");
        bufferevent_enable(job->event, EV_READ|EV_WRITE);
 
        log_debug("run job %p: %s, pid %ld", job, job->cmd, (long) job->pid);
diff --git a/server-client.c b/server-client.c
index 3d939163b..94cc9e925 100644
--- a/server-client.c
+++ b/server-client.c
@@ -186,8 +186,14 @@ server_client_create(int fd)
        TAILQ_INIT(&c->queue);
 
        c->stdin_data = evbuffer_new();
+       if (c->stdin_data == NULL)
+               fatalx("out of memory");
        c->stdout_data = evbuffer_new();
+       if (c->stdout_data == NULL)
+               fatalx("out of memory");
        c->stderr_data = evbuffer_new();
+       if (c->stderr_data == NULL)
+               fatalx("out of memory");
 
        c->tty.fd = -1;
        c->title = NULL;
diff --git a/tty.c b/tty.c
index 6b63aa3bd..df47c9726 100644
--- a/tty.c
+++ b/tty.c
@@ -258,9 +258,13 @@ tty_open(struct tty *tty, char **cause)
        event_set(&tty->event_in, tty->fd, EV_PERSIST|EV_READ,
            tty_read_callback, tty);
        tty->in = evbuffer_new();
+       if (tty->in == NULL)
+               fatal("out of memory");
 
        event_set(&tty->event_out, tty->fd, EV_WRITE, tty_write_callback, tty);
        tty->out = evbuffer_new();
+       if (tty->out == NULL)
+               fatal("out of memory");
 
        evtimer_set(&tty->timer, tty_timer_callback, tty);
 
diff --git a/window.c b/window.c
index 6e76b480d..530d95743 100644
--- a/window.c
+++ b/window.c
@@ -997,6 +997,8 @@ window_pane_spawn(struct window_pane *wp, int argc, char **argv,
 
        wp->event = bufferevent_new(wp->fd, window_pane_read_callback, NULL,
            window_pane_error_callback, wp);
+       if (wp->event == NULL)
+               fatalx("out of memory");
 
        bufferevent_setwatermark(wp->event, EV_READ, 0, READ_SIZE);
        bufferevent_enable(wp->event, EV_READ|EV_WRITE);
1	From 749f67b7d801eed03345fef9c04206fbd079c3cb Mon Sep 17 00:00:00 2001
2	From: nicm <nicm>
3	Date: Mon, 19 Nov 2018 13:35:40 +0000
4	Subject: [PATCH] evbuffer_new and bufferevent_new can both fail (when malloc
5	fails) and return NULL. GitHub issue 1547.
6
7	---
8	cmd-pipe-pane.c \| 2 ++
9	control-notify.c \| 2 ++
10	format.c \| 4 ++++
11	input.c \| 2 ++
12	job.c \| 2 ++
13	server-client.c \| 6 ++++++
14	tty.c \| 4 ++++
15	window.c \| 2 ++
16	8 files changed, 24 insertions(+)
17
18	diff --git a/cmd-pipe-pane.c b/cmd-pipe-pane.c
19	index 199dd5754..4650959ce 100644
20	--- a/cmd-pipe-pane.c
21	+++ b/cmd-pipe-pane.c
22	@@ -166,6 +166,8 @@ cmd_pipe_pane_exec(struct cmd self, struct cmdq_item item)
23	cmd_pipe_pane_write_callback,
24	cmd_pipe_pane_error_callback,
25	wp);
26	+ if (wp->pipe_event == NULL)
27	+ fatalx("out of memory");
28	if (out)
29	bufferevent_enable(wp->pipe_event, EV_WRITE);
30	if (in)
31	diff --git a/control-notify.c b/control-notify.c
32	index 492914830..7b28e8f0a 100644
33	--- a/control-notify.c
34	+++ b/control-notify.c
35	@@ -47,6 +47,8 @@ control_notify_input(struct client c, struct window_pane wp,
36	*/
37	if (winlink_find_by_window(&c->session->windows, wp->window) != NULL) {
38	message = evbuffer_new();
39	+ if (message == NULL)
40	+ fatalx("out of memory");
41	evbuffer_add_printf(message, "%%output %%%u ", wp->id);
42	for (i = 0; i < len; i++) {
43	if (buf[i] < ' ' \|\| buf[i] == '\\')
44	diff --git a/format.c b/format.c
45	index 213654579..77f5f59d9 100644
46	--- a/format.c
47	+++ b/format.c
48	@@ -573,6 +573,8 @@ format_cb_pane_tabs(struct format_tree ft, struct format_entry fe)
49	return;
50
51	buffer = evbuffer_new();
52	+ if (buffer == NULL)
53	+ fatalx("out of memory");
54	for (i = 0; i < wp->base.grid->sx; i++) {
55	if (!bit_test(wp->base.tabs, i))
56	continue;
57	@@ -603,6 +605,8 @@ format_cb_session_group_list(struct format_tree ft, struct format_entry fe)
58	return;
59
60	buffer = evbuffer_new();
61	+ if (buffer == NULL)
62	+ fatalx("out of memory");
63	TAILQ_FOREACH(loop, &sg->sessions, gentry) {
64	if (EVBUFFER_LENGTH(buffer) > 0)
65	evbuffer_add(buffer, ",", 1);
66	diff --git a/input.c b/input.c
67	index 41cdfb70f..d9f419fe2 100644
68	--- a/input.c
69	+++ b/input.c
70	@@ -767,6 +767,8 @@ input_init(struct window_pane *wp)
71	ictx->input_buf = xmalloc(INPUT_BUF_START);
72
73	ictx->since_ground = evbuffer_new();
74	+ if (ictx->since_ground == NULL)
75	+ fatalx("out of memory");
76
77	evtimer_set(&ictx->timer, input_timer_callback, ictx);
78
79	diff --git a/job.c b/job.c
80	index 66315bd2c..73f62359f 100644
81	--- a/job.c
82	+++ b/job.c
83	@@ -155,6 +155,8 @@ job_run(const char cmd, struct session s, const char *cwd,
84
85	job->event = bufferevent_new(job->fd, job_read_callback,
86	job_write_callback, job_error_callback, job);
87	+ if (job->event == NULL)
88	+ fatalx("out of memory");
89	bufferevent_enable(job->event, EV_READ\|EV_WRITE);
90
91	log_debug("run job %p: %s, pid %ld", job, job->cmd, (long) job->pid);
92	diff --git a/server-client.c b/server-client.c
93	index 3d939163b..94cc9e925 100644
94	--- a/server-client.c
95	+++ b/server-client.c
96	@@ -186,8 +186,14 @@ server_client_create(int fd)
97	TAILQ_INIT(&c->queue);
98
99	c->stdin_data = evbuffer_new();
100	+ if (c->stdin_data == NULL)
101	+ fatalx("out of memory");
102	c->stdout_data = evbuffer_new();
103	+ if (c->stdout_data == NULL)
104	+ fatalx("out of memory");
105	c->stderr_data = evbuffer_new();
106	+ if (c->stderr_data == NULL)
107	+ fatalx("out of memory");
108
109	c->tty.fd = -1;
110	c->title = NULL;
111	diff --git a/tty.c b/tty.c
112	index 6b63aa3bd..df47c9726 100644
113	--- a/tty.c
114	+++ b/tty.c
115	@@ -258,9 +258,13 @@ tty_open(struct tty tty, char *cause)
116	event_set(&tty->event_in, tty->fd, EV_PERSIST\|EV_READ,
117	tty_read_callback, tty);
118	tty->in = evbuffer_new();
119	+ if (tty->in == NULL)
120	+ fatal("out of memory");
121
122	event_set(&tty->event_out, tty->fd, EV_WRITE, tty_write_callback, tty);
123	tty->out = evbuffer_new();
124	+ if (tty->out == NULL)
125	+ fatal("out of memory");
126
127	evtimer_set(&tty->timer, tty_timer_callback, tty);
128
129	diff --git a/window.c b/window.c
130	index 6e76b480d..530d95743 100644
131	--- a/window.c
132	+++ b/window.c
133	@@ -997,6 +997,8 @@ window_pane_spawn(struct window_pane wp, int argc, char *argv,
134
135	wp->event = bufferevent_new(wp->fd, window_pane_read_callback, NULL,
136	window_pane_error_callback, wp);
137	+ if (wp->event == NULL)
138	+ fatalx("out of memory");
139
140	bufferevent_setwatermark(wp->event, EV_READ, 0, READ_SIZE);
141	bufferevent_enable(wp->event, EV_READ\|EV_WRITE);