Please review the attached debdiff as a suggested fix for this issue.
From debian/changelog:
* SECURITY UPDATE: Integer overflow when handling large bson objects (LP: #1830865)
- lib/bson/bson.c, lib/bson/bson.h, src/whoopsie.c: use size_t
for size instead of int to prevent integer overflows.
- lib/bson/bson.c: ensure bson objects are not bigger than INT_MAX.
- CVE-2019-11484
* src/whoopsie.c: prevent freeing a NULL server response string.
Additional comments:
I have modified some int's used for size even in functions that are not used by whoopsie so we are not hit by this again in case whoopsie changes.
I added a check on size so it does not go over bson int32 specification and I modified a check so it always verifies that the total size is also under max int32 - previously it only did this check 'if( new_size < b->dataSize )'.
Whoopsie would try to free the 's' string even when bsonify failed, thus triggering a NULL assert, so I moved the string declaration and the free call inside the scope of the crash file upload.
Please review the attached debdiff as a suggested fix for this issue.
From debian/changelog:
* SECURITY UPDATE: Integer overflow when handling large bson objects (LP: #1830865)
- lib/bson/bson.c, lib/bson/bson.h, src/whoopsie.c: use size_t
for size instead of int to prevent integer overflows.
- lib/bson/bson.c: ensure bson objects are not bigger than INT_MAX.
- CVE-2019-11484
* src/whoopsie.c: prevent freeing a NULL server response string.
Additional comments:
I have modified some int's used for size even in functions that are not used by whoopsie so we are not hit by this again in case whoopsie changes.
I added a check on size so it does not go over bson int32 specification and I modified a check so it always verifies that the total size is also under max int32 - previously it only did this check 'if( new_size < b->dataSize )'.
Whoopsie would try to free the 's' string even when bsonify failed, thus triggering a NULL assert, so I moved the string declaration and the free call inside the scope of the crash file upload.