diff -Nru whoopsie-0.2.52.5ubuntu0.1/debian/changelog whoopsie-0.2.52.5ubuntu0.2/debian/changelog --- whoopsie-0.2.52.5ubuntu0.1/debian/changelog 2019-07-05 03:37:14.000000000 -0300 +++ whoopsie-0.2.52.5ubuntu0.2/debian/changelog 2019-10-14 11:17:30.000000000 -0300 @@ -1,3 +1,14 @@ +whoopsie (0.2.52.5ubuntu0.2) xenial-security; urgency=high + + * SECURITY UPDATE: Integer overflow when handling large bson + objects (LP: #1830865) + - lib/bson/bson.c, lib/bson/bson.h, src/whoopsie.c: use size_t + for size instead of int to prevent integer overflows. + - lib/bson/bson.c: ensure bson objects are not bigger than INT_MAX. + - CVE-2019-11484 + + -- Tiago Stürmer Daitx Mon, 14 Oct 2019 14:17:30 +0000 + whoopsie (0.2.52.5ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: Integer overflow when handling large crash dumps (LP: diff -Nru whoopsie-0.2.52.5ubuntu0.1/lib/bson/bson.c whoopsie-0.2.52.5ubuntu0.2/lib/bson/bson.c --- whoopsie-0.2.52.5ubuntu0.1/lib/bson/bson.c 2016-06-15 13:35:47.000000000 -0300 +++ whoopsie-0.2.52.5ubuntu0.2/lib/bson/bson.c 2019-10-14 11:17:28.000000000 -0300 @@ -24,7 +24,7 @@ #include "bson.h" #include "encoding.h" -const int initialBufferSize = 128; +const size_t initialBufferSize = 128; /* only need one of these */ static const int zero = 0; @@ -86,8 +86,8 @@ b->errstr = NULL; } -int bson_size( const bson *b ) { - int i; +size_t bson_size( const bson *b ) { + size_t i; if ( ! b || ! b->data ) return 0; bson_little_endian32( &i, b->data ); @@ -567,7 +567,7 @@ BUILDING ------------------------------ */ -static void _bson_init_size( bson *b, int size ) { +static void _bson_init_size( bson *b, size_t size ) { if( size == 0 ) b->data = NULL; else @@ -581,7 +581,7 @@ _bson_init_size( b, initialBufferSize ); } -void bson_init_size( bson *b, int size ) { +void bson_init_size( bson *b, size_t size ) { _bson_init_size( b, size ); } @@ -590,7 +590,7 @@ b->cur++; } -void bson_append( bson *b, const void *data, int len ) { +void bson_append( bson *b, const void *data, size_t len ) { memcpy( b->cur , data , len ); b->cur += len; } @@ -605,24 +605,24 @@ b->cur += 8; } -int bson_ensure_space( bson *b, const int bytesNeeded ) { - int pos = b->cur - b->data; +int bson_ensure_space( bson *b, const size_t bytesNeeded ) { + size_t pos = b->cur - b->data; char *orig = b->data; - int new_size; + size_t new_size; + + if ( bytesNeeded > INT_MAX || pos > INT_MAX || b->dataSize > INT_MAX || + ( INT_MAX - b->dataSize ) < bytesNeeded || ( INT_MAX - pos) < bytesNeeded ) { + b->err = BSON_SIZE_OVERFLOW; + return BSON_ERROR; + } - if ( pos + bytesNeeded <= b->dataSize ) + if ( ( pos + bytesNeeded ) <= b->dataSize ) return BSON_OK; new_size = 1.5 * ( b->dataSize + bytesNeeded ); - if( new_size < b->dataSize ) { - if( ( b->dataSize + bytesNeeded ) < INT_MAX ) - new_size = INT_MAX; - else { - b->err = BSON_SIZE_OVERFLOW; - return BSON_ERROR; - } - } + if ( new_size > INT_MAX) + new_size = INT_MAX; b->data = bson_realloc( b->data, new_size ); if ( !b->data ) @@ -635,7 +635,7 @@ } int bson_finish( bson *b ) { - int i; + size_t i; if( b->err & BSON_NOT_UTF8 ) return BSON_ERROR; @@ -659,8 +659,8 @@ b->finished = 1; } -static int bson_append_estart( bson *b, int type, const char *name, const int dataSize ) { - const int len = strlen( name ) + 1; +static int bson_append_estart( bson *b, int type, const char *name, const size_t dataSize ) { + const size_t len = strlen( name ) + 1; if ( b->finished ) { b->err |= BSON_ALREADY_FINISHED; @@ -726,9 +726,9 @@ } int bson_append_string_base( bson *b, const char *name, - const char *value, int len, bson_type type ) { + const char *value, size_t len, bson_type type ) { - int sl = len + 1; + size_t sl = len + 1; if ( bson_check_string( b, ( const char * )value, sl - 1 ) == BSON_ERROR ) return BSON_ERROR; if ( bson_append_estart( b, type, name, 4 + sl ) == BSON_ERROR ) { @@ -835,7 +835,7 @@ int bson_append_element( bson *b, const char *name_or_null, const bson_iterator *elem ) { bson_iterator next = *elem; - int size; + size_t size; bson_iterator_next( &next ); size = next.cur - elem->cur; @@ -845,7 +845,7 @@ return BSON_ERROR; bson_append( b, elem->cur, size ); } else { - int data_size = size - 2 - strlen( bson_iterator_key( elem ) ); + size_t data_size = size - 2 - strlen( bson_iterator_key( elem ) ); bson_append_estart( b, elem->cur[0], name_or_null, data_size ); bson_append( b, bson_iterator_value( elem ), data_size ); } @@ -888,7 +888,7 @@ int bson_append_finish_object( bson *b ) { char *start; - int i; + size_t i; if ( bson_ensure_space( b, 1 ) == BSON_ERROR ) return BSON_ERROR; bson_append_byte( b , 0 ); @@ -914,14 +914,14 @@ return old; } -void *bson_malloc( int size ) { +void *bson_malloc( size_t size ) { void *p; p = bson_malloc_func( size ); bson_fatal_msg( !!p, "malloc() failed" ); return p; } -void *bson_realloc( void *ptr, int size ) { +void *bson_realloc( void *ptr, size_t size ) { void *p; p = bson_realloc_func( ptr, size ); bson_fatal_msg( !!p, "realloc() failed" ); diff -Nru whoopsie-0.2.52.5ubuntu0.1/lib/bson/bson.h whoopsie-0.2.52.5ubuntu0.2/lib/bson/bson.h --- whoopsie-0.2.52.5ubuntu0.1/lib/bson/bson.h 2016-06-15 13:35:47.000000000 -0300 +++ whoopsie-0.2.52.5ubuntu0.2/lib/bson/bson.h 2019-10-14 11:17:28.000000000 -0300 @@ -86,7 +86,7 @@ typedef struct { char *data; char *cur; - int dataSize; + size_t dataSize; bson_bool_t finished; int stack[32]; int stackPos; @@ -119,7 +119,7 @@ * * @return the size. */ -int bson_size( const bson *b ); +size_t bson_size( const bson *b ); /** * Print a string representation of a BSON object. @@ -546,7 +546,7 @@ * * @return BSON_OK or BSON_ERROR. */ -void bson_init_size( bson *b, int size ); +void bson_init_size( bson *b, size_t size ); /** * Grow a bson object. @@ -557,7 +557,7 @@ * @return BSON_OK or BSON_ERROR with the bson error object set. * Exits if allocation fails. */ -int bson_ensure_space( bson *b, const int bytesNeeded ); +int bson_ensure_space( bson *b, const size_t bytesNeeded ); /** * Finalize a bson object. @@ -930,7 +930,7 @@ * * @sa malloc(3) */ -void *bson_malloc( int size ); +void *bson_malloc( size_t size ); /** * Changes the size of allocated memory and checks return value, @@ -943,7 +943,7 @@ * * @sa realloc() */ -void *bson_realloc( void *ptr, int size ); +void *bson_realloc( void *ptr, size_t size ); /** * Set a function for error handling. diff -Nru whoopsie-0.2.52.5ubuntu0.1/lib/bson/encoding.c whoopsie-0.2.52.5ubuntu0.2/lib/bson/encoding.c --- whoopsie-0.2.52.5ubuntu0.1/lib/bson/encoding.c 2016-06-15 13:35:47.000000000 -0300 +++ whoopsie-0.2.52.5ubuntu0.2/lib/bson/encoding.c 2019-10-14 11:17:28.000000000 -0300 @@ -67,7 +67,7 @@ * If presented with a length > 4, this returns 0. The Unicode * definition of UTF-8 goes up to 4-byte sequences. */ -static int isLegalUTF8( const unsigned char *source, int length ) { +static int isLegalUTF8( const unsigned char *source, size_t length ) { unsigned char a; const unsigned char *srcptr = source + length; switch ( length ) { @@ -102,11 +102,11 @@ } static int bson_validate_string( bson *b, const unsigned char *string, - const int length, const char check_utf8, const char check_dot, + const size_t length, const char check_utf8, const char check_dot, const char check_dollar ) { - int position = 0; - int sequence_length = 1; + size_t position = 0; + size_t sequence_length = 1; if( check_dollar && string[0] == '$' ) { b->err |= BSON_FIELD_INIT_DOLLAR; @@ -136,13 +136,13 @@ int bson_check_string( bson *b, const char *string, - const int length ) { + const size_t length ) { return bson_validate_string( b, ( const unsigned char * )string, length, 1, 0, 0 ); } int bson_check_field_name( bson *b, const char *string, - const int length ) { + const size_t length ) { return bson_validate_string( b, ( const unsigned char * )string, length, 1, 1, 1 ); } diff -Nru whoopsie-0.2.52.5ubuntu0.1/lib/bson/encoding.h whoopsie-0.2.52.5ubuntu0.2/lib/bson/encoding.h --- whoopsie-0.2.52.5ubuntu0.1/lib/bson/encoding.h 2016-06-15 13:35:47.000000000 -0300 +++ whoopsie-0.2.52.5ubuntu0.2/lib/bson/encoding.h 2019-10-14 11:17:28.000000000 -0300 @@ -35,7 +35,7 @@ * Set the value of b->err appropriately. */ int bson_check_field_name( bson *b, const char *string, - const int length ); + const size_t length ); /** * Check that a string is valid UTF8. Sets the buffer bit field appropriately. @@ -48,7 +48,7 @@ * Sets b->err on error. */ bson_bool_t bson_check_string( bson *b, const char *string, - const int length ); + const size_t length ); MONGO_EXTERN_C_END #endif diff -Nru whoopsie-0.2.52.5ubuntu0.1/src/whoopsie.c whoopsie-0.2.52.5ubuntu0.2/src/whoopsie.c --- whoopsie-0.2.52.5ubuntu0.1/src/whoopsie.c 2019-07-05 03:35:37.000000000 -0300 +++ whoopsie-0.2.52.5ubuntu0.2/src/whoopsie.c 2019-10-14 11:17:28.000000000 -0300 @@ -250,7 +250,7 @@ gboolean bsonify (GHashTable* report, bson* b, const char** bson_message, - int* bson_message_len) + size_t* bson_message_len) { /* Attempt to convert a #GHashTable of the report into a BSON string. * On error return %FALSE. */ @@ -284,7 +284,7 @@ } int -upload_report (const char* message_data, int message_len, struct response_string* s) +upload_report (const char* message_data, size_t message_len, struct response_string* s) { CURL* curl = NULL; CURLcode result_code = 0; @@ -635,7 +635,7 @@ { GHashTable* report = NULL; gboolean success = FALSE; - int message_len = 0; + size_t message_len = 0; const char* message_data = NULL; struct response_string s; GError* error = NULL;