1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
From e9e81b8063b095b02cf104bb992fa9bf9515b9d8 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Fri, 1 Sep 2017 10:04:48 +0200
Subject: [PATCH] lib/punycode.c (decode_digit): Fix integer overflow
This fix is a backport from libidn2 and addresses
CVE-2017-14062.
---
lib/punycode.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/punycode.c b/lib/punycode.c
index 86819a7..49250a1 100644
--- a/lib/punycode.c
+++ b/lib/punycode.c
@@ -88,10 +88,10 @@ enum
/* point (for use in representing integers) in the range 0 to */
/* base-1, or base if cp does not represent a value. */
-static punycode_uint
-decode_digit (punycode_uint cp)
+static unsigned
+decode_digit (int cp)
{
- return cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
+ return (unsigned) cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
cp - 97 < 26 ? cp - 97 : base;
}
--
1.9.1
From 6c8a9375641ca283b50f9680c90dcd57f9c44798 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Wed, 4 Oct 2017 15:22:43 +0200
Subject: [PATCH] lib/punycode.c (decode_digit): Really fix integer overflow
The fix in commit e9e81b8063b095b02cf104bb992fa9bf9515b9d8
was incomplete.
Reported-by: Christian Weisgerber
---
lib/punycode.c | 4 ++--
tests/tst_idna.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/punycode.c b/lib/punycode.c
index 49250a1..d475b6d 100644
--- a/lib/punycode.c
+++ b/lib/punycode.c
@@ -91,8 +91,8 @@ enum
static unsigned
decode_digit (int cp)
{
- return (unsigned) cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
- cp - 97 < 26 ? cp - 97 : base;
+ return (unsigned) (cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
+ cp - 97 < 26 ? cp - 97 : base);
}
/* encode_digit(d,flag) returns the basic code point whose value */
diff --git a/tests/tst_idna.c b/tests/tst_idna.c
index 4ac046f..7fb58b9 100644
--- a/tests/tst_idna.c
+++ b/tests/tst_idna.c
@@ -211,7 +211,7 @@ static const struct idna idna[] = {
'x', 'n', '-', '-', 'f', 'o', 0x3067},
IDNA_ACE_PREFIX "too long too long too long too long too long too "
"long too long too long too long too long ", 0,
- IDNA_CONTAINS_ACE_PREFIX, IDNA_PUNYCODE_ERROR}
+ IDNA_CONTAINS_ACE_PREFIX, IDNA_INVALID_LENGTH}
};
void
--
1.9.1
|
