From 0eafd5637d31f98fc7946854156ded059b0a7ad2 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Tue, 8 Apr 2014 19:43:14 +0200 Subject: [PATCH] libdbi-drivers: Add fixes for out-of-bounds write in the sqlite3 driver While working on the OpenBSC/NITB schema migration I experienced crashes and traced it down to libdbi-drivers. It was possible that a special string quote each character and then adding '"\0' would result in out of bounds write. --- .../libdbi/files/memory-corruption-fixes.patch | 17 +++++++++++++++++ recipes-misc/libdbi/libdbi-drivers_0.8.3-1.bb | 4 +++- 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 recipes-misc/libdbi/files/memory-corruption-fixes.patch diff --git a/recipes-misc/libdbi/files/memory-corruption-fixes.patch b/recipes-misc/libdbi/files/memory-corruption-fixes.patch new file mode 100644 index 0000000000..ff42752a44 --- /dev/null +++ b/recipes-misc/libdbi/files/memory-corruption-fixes.patch @@ -0,0 +1,17 @@ +This is a backport of a fix from Holger Freyther to the +libdbd sqlite3 driver. + +Index: libdbi-drivers-0.8.3-1/drivers/sqlite3/dbd_sqlite3.c +=================================================================== +--- libdbi-drivers-0.8.3-1.orig/drivers/sqlite3/dbd_sqlite3.c ++++ libdbi-drivers-0.8.3-1/drivers/sqlite3/dbd_sqlite3.c +@@ -502,7 +502,8 @@ size_t dbd_quote_binary(dbi_conn_t *conn + unsigned char *temp; + size_t len; + +- if ((temp = malloc(from_length*2)) == NULL) { ++ /* allocate an extra byte for NULL and two for the quotes */ ++ if ((temp = malloc(2*from_length+1+2)) == NULL) { + return 0; + } + diff --git a/recipes-misc/libdbi/libdbi-drivers_0.8.3-1.bb b/recipes-misc/libdbi/libdbi-drivers_0.8.3-1.bb index 2f2e39df79..deeb56ec3d 100644 --- a/recipes-misc/libdbi/libdbi-drivers_0.8.3-1.bb +++ b/recipes-misc/libdbi/libdbi-drivers_0.8.3-1.bb @@ -1,6 +1,8 @@ require ${PN}.inc -PR = "${INC_PR}.0" +PR = "${INC_PR}.1" SRC_URI[md5sum] = "4de79b323162a5a7652b65b608eca6cd" SRC_URI[sha256sum] = "4ab9944398ce769c0deeb64d2f73555c67bc25ccd2ade1ccf552226c7b2acf72" + +SRC_URI += "file://memory-corruption-fixes.patch"