diff options
| author |   Simon Josefsson <simon@josefsson.org> | 2016-01-14 13:46:52 +0100 |
|---|---|---|
| committer |   Andreas K. Hüttel <dilfridge@gentoo.org> | 2017-10-21 20:05:01 +0200 |
| commit | 2f704d08e71bd51554caab1e2da37f891af3086b (patch) | |
| tree | f02ccdfd9dbb278629bd5f955a1b1af29606b0de | |
| parent | libidn/punycode.c (decode_digit): Really fix integer overflow (diff) | |
| download | glibc-2f704d08e71bd51554caab1e2da37f891af3086b.tar.gz glibc-2f704d08e71bd51554caab1e2da37f891af3086b.tar.bz2 glibc-2f704d08e71bd51554caab1e2da37f891af3086b.zip | |
libidn: Fix out-of-bounds stack read. Report and patch by Hanno Böck. CVE-2016-6261
Bug: https://bugs.gentoo.org/635010
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=22333
| -rw-r--r-- | libidn/idna.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/libidn/idna.c b/libidn/idna.c index 7a15a25b21..bcf1c191f7 100644 --- a/libidn/idna.c +++ b/libidn/idna.c @@ -196,6 +196,8 @@ step3: } if (i < 64) out[i] = '\0'; + else + return IDNA_INVALID_LENGTH; if (inasciirange) goto step8; } @@ -250,7 +252,7 @@ step3: step8: free (src); - if (strlen (out) < 1 || strlen (out) > 63) + if (strlen (out) < 1) return IDNA_INVALID_LENGTH; return IDNA_SUCCESS; |