| Brad Bishop | bba38f3 | 2018-08-23 16:11:46 +0800 | [diff] [blame] | 1 | Integer overflow in src/zm.c:zsdata() causes crash in sz and can leak information to receiver. |
| 2 | |
| 3 | Patch taken from Fedora. |
| 4 | |
| 5 | CVE: CVE-2018-10195 |
| 6 | Upstream-Status: Inappropriate (dead upstream) |
| 7 | Signed-off-by: Ross Burton <ross.burton@intel.com> |
| 8 | |
| 9 | diff -urN lrzsz-0.12.20/src/zm.c lrzsz-0.12.20.new/src/zm.c |
| 10 | --- lrzsz-0.12.20/src/zm.c Tue Dec 29 09:48:38 1998 |
| 11 | +++ lrzsz-0.12.20.new/src/zm.c Tue Oct 8 12:46:58 2002 |
| 12 | @@ -431,10 +431,12 @@ |
| 13 | VPRINTF(3,("zsdata: %lu %s", (unsigned long) length, |
| 14 | Zendnames[(frameend-ZCRCE)&3])); |
| 15 | crc = 0; |
| 16 | - do { |
| 17 | - zsendline(*buf); crc = updcrc((0377 & *buf), crc); |
| 18 | - buf++; |
| 19 | - } while (--length>0); |
| 20 | + |
| 21 | + for( ; length; length--) { |
| 22 | + zsendline(*buf); crc = updcrc((0377 & *buf), crc); |
| 23 | + buf++; |
| 24 | + } |
| 25 | + |
| 26 | xsendline(ZDLE); xsendline(frameend); |
| 27 | crc = updcrc(frameend, crc); |
| 28 | |