diff options
author | Daniel Black <dragonheart@gentoo.org> | 2005-05-04 11:26:38 +0000 |
---|---|---|
committer | Daniel Black <dragonheart@gentoo.org> | 2005-05-04 11:26:38 +0000 |
commit | 3d98bba8a26e316208ed14d013610da2c270ae83 (patch) | |
tree | 2f1695907584808e741651911ef6e8bb26c0110f /app-editors/hteditor | |
parent | app-editors/hteditor-0.8.0-r1 for testing (diff) | |
download | historical-3d98bba8a26e316208ed14d013610da2c270ae83.tar.gz historical-3d98bba8a26e316208ed14d013610da2c270ae83.tar.bz2 historical-3d98bba8a26e316208ed14d013610da2c270ae83.zip |
hteditor-0.8.0-r1 fixes 0 segments exploit that Tavis found
Package-Manager: portage-2.0.51.21
Diffstat (limited to 'app-editors/hteditor')
-rw-r--r-- | app-editors/hteditor/ChangeLog | 8 | ||||
-rw-r--r-- | app-editors/hteditor/Manifest | 15 | ||||
-rw-r--r-- | app-editors/hteditor/files/digest-hteditor-0.8.0-r1 | 1 | ||||
-rw-r--r-- | app-editors/hteditor/files/hteditor-0.8.0-mallocboundcheck.patch | 246 | ||||
-rw-r--r-- | app-editors/hteditor/hteditor-0.8.0-r1.ebuild | 45 |
5 files changed, 308 insertions, 7 deletions
diff --git a/app-editors/hteditor/ChangeLog b/app-editors/hteditor/ChangeLog index 453fc11996e5..bc56ad2a11cb 100644 --- a/app-editors/hteditor/ChangeLog +++ b/app-editors/hteditor/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for app-editors/hteditor # Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-editors/hteditor/ChangeLog,v 1.12 2005/04/21 14:04:39 herbs Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-editors/hteditor/ChangeLog,v 1.13 2005/05/04 11:26:38 dragonheart Exp $ + +*hteditor-0.8.0-r1 (04 May 2005) + + 04 May 2005; Daniel Black <dragonheart@gentoo.org> + +files/hteditor-0.8.0-mallocboundcheck.patch, +hteditor-0.8.0-r1.ebuild: + hteditor-0.8.0-r1 fixes 0 segments exploit that Tavis found 21 Apr 2005; Herbie Hopkins <herbs@gentoo.org> hteditor-0.8.0.ebuild: ~amd64 keyword added, bug #88994 diff --git a/app-editors/hteditor/Manifest b/app-editors/hteditor/Manifest index 6235a89eba74..707cf0a189fe 100644 --- a/app-editors/hteditor/Manifest +++ b/app-editors/hteditor/Manifest @@ -1,16 +1,19 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +MD5 ec15c93525f4f3c65a3114e847f3eb9d ChangeLog 2080 +MD5 1652522405f5936eb29776ef8d5ffa5b metadata.xml 310 MD5 474a7acbf7f185b0c050806a3f404314 hteditor-0.8.0.ebuild 848 +MD5 2ffbedac2a1052be2124e41bf03398c9 hteditor-0.8.0-r1.ebuild 961 MD5 a3967faa2e53b980b44cbe19a2a1d6a6 hteditor-0.7.4.ebuild 722 -MD5 76319fd839fb6138b5771bb8acf7d12e ChangeLog 1849 -MD5 1652522405f5936eb29776ef8d5ffa5b metadata.xml 310 -MD5 44f3316a45dc74c201dd2513928e3a20 files/digest-hteditor-0.7.4 61 MD5 62f3c11a4b0b8fe29f1a412386c66d5c files/digest-hteditor-0.8.0 61 +MD5 376145af92012f30281eeeafc0abf98a files/hteditor-0.8.0-mallocboundcheck.patch 10239 +MD5 44f3316a45dc74c201dd2513928e3a20 files/digest-hteditor-0.7.4 61 +MD5 62f3c11a4b0b8fe29f1a412386c66d5c files/digest-hteditor-0.8.0-r1 61 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) -iD8DBQFCZ7MP2G5bA0cA/ScRAtRXAKDtLnjhKGFQeucpu1ou96m3d4ICgQCfUAE7 -4HDcoWcMXgLlJ13rFK8mPLU= -=OHy9 +iD8DBQFCeLF/mdTrptrqvGERAmsHAJ4rbBO1MzRFNUm+/g7WWsqgH0/yEgCeP0Ge +OT+CUDyUnO0iVpWjsYGic84= +=GnfS -----END PGP SIGNATURE----- diff --git a/app-editors/hteditor/files/digest-hteditor-0.8.0-r1 b/app-editors/hteditor/files/digest-hteditor-0.8.0-r1 new file mode 100644 index 000000000000..0f800184724d --- /dev/null +++ b/app-editors/hteditor/files/digest-hteditor-0.8.0-r1 @@ -0,0 +1 @@ +MD5 ee309bdd16b3e1ec78b2efb6427dd5a5 ht-0.8.0.tar.bz2 731401 diff --git a/app-editors/hteditor/files/hteditor-0.8.0-mallocboundcheck.patch b/app-editors/hteditor/files/hteditor-0.8.0-mallocboundcheck.patch new file mode 100644 index 000000000000..b2f64e8baf0e --- /dev/null +++ b/app-editors/hteditor/files/hteditor-0.8.0-mallocboundcheck.patch @@ -0,0 +1,246 @@ +--- cplus-dem.c.orig 2005-05-04 19:32:05.000000000 +1000 ++++ cplus-dem.c 2005-05-04 19:52:48.000000000 +1000 +@@ -1572,7 +1572,7 @@ + else + { + int symbol_len = consume_count (mangled); +- if (symbol_len == -1) ++ if (symbol_len <= -1) + return -1; + if (symbol_len == 0) + string_appendn (s, "0", 1); +@@ -1690,7 +1690,7 @@ + { + return (0); + } +- if (!is_type) ++ if (!is_type && r) + { + /* Create an array for saving the template argument values. */ + work->tmpl_argvec = (char**) xmalloc (r * sizeof (char *)); +@@ -1718,9 +1718,11 @@ + { + /* Save the template argument. */ + int len = temp.p - temp.b; +- work->tmpl_argvec[i] = xmalloc (len + 1); +- memcpy (work->tmpl_argvec[i], temp.b, len); +- work->tmpl_argvec[i][len] = '\0'; ++ if (len) { ++ work->tmpl_argvec[i] = xmalloc (len + 1); ++ memcpy (work->tmpl_argvec[i], temp.b, len); ++ work->tmpl_argvec[i][len] = '\0'; ++ } + } + } + string_delete(&temp); +@@ -1746,9 +1748,12 @@ + { + /* Save the template argument. */ + int len = r2; +- work->tmpl_argvec[i] = xmalloc (len + 1); +- memcpy (work->tmpl_argvec[i], *mangled, len); +- work->tmpl_argvec[i][len] = '\0'; ++ if (len >=0) ++ { ++ work->tmpl_argvec[i] = xmalloc (len + 1); ++ memcpy (work->tmpl_argvec[i], *mangled, len); ++ work->tmpl_argvec[i][len] = '\0'; ++ } + } + *mangled += r2; + } +@@ -1792,9 +1797,11 @@ + if (!is_type) + { + int len = s->p - s->b; +- work->tmpl_argvec[i] = xmalloc (len + 1); +- memcpy (work->tmpl_argvec[i], s->b, len); +- work->tmpl_argvec[i][len] = '\0'; ++ if (len<=0) { ++ work->tmpl_argvec[i] = xmalloc (len + 1); ++ memcpy (work->tmpl_argvec[i], s->b, len); ++ work->tmpl_argvec[i][len] = '\0'; ++ } + + string_appends (tname, s); + string_delete (s); +@@ -2594,6 +2601,7 @@ + char * recurse = (char *)NULL; + char * recurse_dem = (char *)NULL; + ++ if (namelength <= 0) return; /* not sure about this one */ + recurse = (char *) xmalloc (namelength + 1); + memcpy (recurse, *mangled, namelength); + recurse[namelength] = '\000'; +@@ -3730,6 +3738,7 @@ + sizeof (char *) * work -> typevec_size); + } + } ++ if (len<=0) len=0; + tem = xmalloc (len + 1); + memcpy (tem, start, len); + tem[len] = '\0'; +@@ -3762,6 +3771,7 @@ + sizeof (char *) * work -> ksize); + } + } ++ if (len<=0) len=0; + tem = xmalloc (len + 1); + memcpy (tem, start, len); + tem[len] = '\0'; +@@ -3809,6 +3819,7 @@ + { + char *tem; + ++ if (len<=0) len=0; + tem = xmalloc (len + 1); + memcpy (tem, start, len); + tem[len] = '\0'; +--- htanaly.cc.orig 2005-05-04 19:59:15.000000000 +1000 ++++ htanaly.cc 2005-05-04 19:59:19.000000000 +1000 +@@ -1323,6 +1323,7 @@ + if (!getCurrentAddress(&c)) break; + b = analy->createAddress(); + UINT bz = b->byteSize(); ++ if (!bz) break; + byte *buf = (byte*)smalloc(bz); + if (analy->bufPtr(c, buf, bz) != bz) break; + b->getFromArray(buf); +--- htcoff.cc.orig 2005-05-04 20:08:20.000000000 +1000 ++++ htcoff.cc 2005-05-04 20:08:26.000000000 +1000 +@@ -168,12 +168,13 @@ + h -= 4; + + file->seek(h+os+24); +- coff_shared->sections.sections=(COFF_SECTION_HEADER*)malloc(coff_shared->sections.section_count * sizeof *coff_shared->sections.sections); +- file->read(coff_shared->sections.sections, coff_shared->sections.section_count*sizeof *coff_shared->sections.sections); +- for (UINT i=0; i<coff_shared->sections.section_count; i++) { +- create_host_struct(&coff_shared->sections.sections[i], COFF_SECTION_HEADER_struct, end); +- } +- ++ if (coff_shared->sections.section_count) { ++ coff_shared->sections.sections=(COFF_SECTION_HEADER*)malloc(coff_shared->sections.section_count * sizeof *coff_shared->sections.sections); ++ file->read(coff_shared->sections.sections, coff_shared->sections.section_count*sizeof *coff_shared->sections.sections); ++ for (UINT i=0; i<coff_shared->sections.section_count; i++) { ++ create_host_struct(&coff_shared->sections.sections[i], COFF_SECTION_HEADER_struct, end); ++ } ++ } /* CHECK - sufficient */ + shared_data = coff_shared; + + ht_format_group::init_ifs(ifs); +--- htelf.cc.orig 2005-05-04 19:09:49.000000000 +1000 ++++ htelf.cc 2005-05-04 20:15:19.000000000 +1000 +@@ -150,6 +150,7 @@ + create_host_struct(&elf_shared->header32, ELF_HEADER32_struct, elf_shared->byte_order); + /* read section headers */ + elf_shared->sheaders.count=elf_shared->header32.e_shnum; ++ if (!elf_shared->sheaders.count) throw new ht_msg_exception("Zero count for section headers"); + elf_shared->sheaders.sheaders32=(ELF_SECTION_HEADER32*)malloc(elf_shared->sheaders.count*sizeof *elf_shared->sheaders.sheaders32); + if (file->seek(header_ofs+elf_shared->header32.e_shoff)) throw new ht_msg_exception("seek error"); + if (file->read(elf_shared->sheaders.sheaders32, elf_shared->sheaders.count*sizeof *elf_shared->sheaders.sheaders32) +@@ -162,6 +163,7 @@ + + /* read program headers */ + elf_shared->pheaders.count=elf_shared->header32.e_phnum; ++ if (!elf_shared->pheaders.count) throw new ht_msg_exception("Zero count in program section headers"); + elf_shared->pheaders.pheaders32=(ELF_PROGRAM_HEADER32*)malloc(elf_shared->pheaders.count*sizeof *elf_shared->pheaders.pheaders32); + if (file->seek(header_ofs+elf_shared->header32.e_phoff)) throw new ht_msg_exception("seek error"); + if (file->read(elf_shared->pheaders.pheaders32, elf_shared->pheaders.count*sizeof *elf_shared->pheaders.pheaders32) +@@ -197,6 +199,7 @@ + create_host_struct(&elf_shared->header64, ELF_HEADER64_struct, elf_shared->byte_order); + /* read section headers */ + elf_shared->sheaders.count=elf_shared->header64.e_shnum; ++ if (!elf_shared->sheaders.count) throw new ht_msg_exception("Zero count for section headers"); + elf_shared->sheaders.sheaders64=(ELF_SECTION_HEADER64*)malloc(elf_shared->sheaders.count*sizeof *elf_shared->sheaders.sheaders64); + /* FIXME: 64-bit */ + if (file->seek(header_ofs+elf_shared->header64.e_shoff.lo)) throw new ht_msg_exception("seek error"); +@@ -210,6 +213,7 @@ + + /* read program headers */ + elf_shared->pheaders.count=elf_shared->header64.e_phnum; ++ if (!elf_shared->pheaders.count) throw new ht_msg_exception("Zero count in program section headers"); + elf_shared->pheaders.pheaders64=(ELF_PROGRAM_HEADER64*)malloc(elf_shared->pheaders.count*sizeof *elf_shared->pheaders.pheaders64); + /* FIXME: 64-bit */ + if (file->seek(header_ofs+elf_shared->header64.e_phoff.lo)) throw new ht_msg_exception("seek error"); +@@ -417,8 +421,11 @@ + ht_elf_shared_data *elf_shared=(ht_elf_shared_data *)shared_data; + + ELF_SECTION_HEADER32 *s=elf_shared->sheaders.sheaders32; +- +- elf_shared->shrelocs = (ht_elf_reloc_section32*)malloc(elf_shared->sheaders.count * sizeof (ht_elf_reloc_section32)); ++ if (!elf_shared->sheaders.count) { ++ LOG("%s: ELF: segment header count is zero", file->get_filename()); ++ } else { ++ elf_shared->shrelocs = (ht_elf_reloc_section32*)malloc(elf_shared->sheaders.count * sizeof (ht_elf_reloc_section32)); ++ } + + /* relocate sections */ + for (uint i=0; i<elf_shared->sheaders.count; i++) { +--- htpef.cc.orig 2005-05-04 20:38:57.000000000 +1000 ++++ htpef.cc 2005-05-04 20:39:00.000000000 +1000 +@@ -99,16 +99,18 @@ + + /* read section headers */ + pef_shared->sheaders.count = pef_shared->contHeader.sectionCount; +- pef_shared->sheaders.sheaders = (PEF_SECTION_HEADER*) +- malloc(pef_shared->sheaders.count*sizeof (PEF_SECTION_HEADER)); +- for (uint i=0; i<pef_shared->sheaders.count; i++) { +- file->read(&pef_shared->sheaders.sheaders[i], sizeof pef_shared->sheaders.sheaders[i]); +- create_host_struct(&pef_shared->sheaders.sheaders[i], PEF_SECTION_HEADER_struct, pef_shared->byte_order); +- // FIXME: hack +- pef_shared->sheaders.sheaders[i].defaultAddress = i*0x100000; +- if (!pef_shared->loader_info_header_ofs +- && pef_shared->sheaders.sheaders[i].sectionKind == PEF_SK_Loader) { +- pef_shared->loader_info_header_ofs = pef_shared->sheaders.sheaders[i].containerOffset; ++ if (pef_shared->sheaders.count) { ++ pef_shared->sheaders.sheaders = (PEF_SECTION_HEADER*) ++ malloc(pef_shared->sheaders.count*sizeof (PEF_SECTION_HEADER)); ++ for (uint i=0; i<pef_shared->sheaders.count; i++) { ++ file->read(&pef_shared->sheaders.sheaders[i], sizeof pef_shared->sheaders.sheaders[i]); ++ create_host_struct(&pef_shared->sheaders.sheaders[i], PEF_SECTION_HEADER_struct, pef_shared->byte_order); ++ // FIXME: hack ++ pef_shared->sheaders.sheaders[i].defaultAddress = i*0x100000; ++ if (!pef_shared->loader_info_header_ofs ++ && pef_shared->sheaders.sheaders[i].sectionKind == PEF_SK_Loader) { ++ pef_shared->loader_info_header_ofs = pef_shared->sheaders.sheaders[i].containerOffset; ++ } + } + } + +--- htpeimp.cc.orig 2005-05-04 20:41:43.000000000 +1000 ++++ htpeimp.cc 2005-05-04 20:54:14.000000000 +1000 +@@ -174,19 +174,21 @@ + PE_THUNK_DATA *thunk_table = NULL; + PE_THUNK_DATA_64 *thunk_table64 = NULL; + file->seek(thunk_ofs); +- if (pe32) { +- thunk_table=(PE_THUNK_DATA*)malloc(sizeof *thunk_table * thunk_count); +- file->read(thunk_table, sizeof *thunk_table * thunk_count); +- // FIXME: ? +- for (UINT i=0; i<thunk_count; i++) { +- create_host_struct(thunk_table+i, PE_THUNK_DATA_struct, little_endian); +- } +- } else { +- thunk_table64=(PE_THUNK_DATA_64*)malloc(sizeof *thunk_table64 * thunk_count); +- file->read(thunk_table64, sizeof *thunk_table64 * thunk_count); +- // FIXME: ? +- for (UINT i=0; i<thunk_count; i++) { +- create_host_struct(thunk_table64+i, PE_THUNK_DATA_64_struct, little_endian); ++ if (thunk_count) { ++ if (pe32) { ++ thunk_table=(PE_THUNK_DATA*)malloc(sizeof *thunk_table * thunk_count); ++ file->read(thunk_table, sizeof *thunk_table * thunk_count); ++ // FIXME: ? ++ for (UINT i=0; i<thunk_count; i++) { ++ create_host_struct(thunk_table+i, PE_THUNK_DATA_struct, little_endian); ++ } ++ } else { ++ thunk_table64=(PE_THUNK_DATA_64*)malloc(sizeof *thunk_table64 * thunk_count); ++ file->read(thunk_table64, sizeof *thunk_table64 * thunk_count); ++ // FIXME: ? ++ for (UINT i=0; i<thunk_count; i++) { ++ create_host_struct(thunk_table64+i, PE_THUNK_DATA_64_struct, little_endian); ++ } + } + } + for (dword i=0; i<thunk_count; i++) { diff --git a/app-editors/hteditor/hteditor-0.8.0-r1.ebuild b/app-editors/hteditor/hteditor-0.8.0-r1.ebuild new file mode 100644 index 000000000000..76fafaff9ec9 --- /dev/null +++ b/app-editors/hteditor/hteditor-0.8.0-r1.ebuild @@ -0,0 +1,45 @@ +# Copyright 1999-2005 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-editors/hteditor/hteditor-0.8.0-r1.ebuild,v 1.1 2005/05/04 11:26:38 dragonheart Exp $ + +inherit eutils + +DESCRIPTION="editor for executable files" +HOMEPAGE="http://hte.sourceforge.net/" +SRC_URI="mirror://sourceforge/hte/ht-${PV}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~ppc ~x86 ~amd64" +IUSE="" + +RDEPEND="virtual/libc + virtual/x11 + sys-libs/ncurses" +DEPEND="${RDEPEND} + >=sys-devel/automake-1.4 + sys-devel/autoconf + sys-devel/bison + sys-devel/flex" + +S="${WORKDIR}/ht-${PV/_/}" + +src_unpack() { + unpack ${A} + cd ${S} + epatch ${FILESDIR}/${P}-mallocboundcheck.patch +} + +src_compile() { + econf || die + emake \ + CFLAGS="${CFLAGS}" \ + CXXFLAGS="${CXXFLAGS}" LDFLAGS="${LDFLAGS}" || die +} + +src_install() { + make DESTDIR=${D} install || die + dodoc AUTHORS KNOWNBUGS TODO README + dohtml doc/ht.html + doinfo doc/*.info +} |