Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 604040 Details for
Bug 847462
pem module may attempt to free an uninitialized pointer
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
The fixes since the last tar ball - Kamil's fixes
pick-up-fixes-from-rhel-6.3.patch (text/plain), 4.14 KB, created by
Elio Maldonado Batiz
on 2012-08-13 16:23:52 UTC
(
hide
)
Description:
The fixes since the last tar ball - Kamil's fixes
Filename:
MIME Type:
Creator:
Elio Maldonado Batiz
Created:
2012-08-13 16:23:52 UTC
Size:
4.14 KB
patch
obsolete
>diff --git a/mozilla/security/nss/lib/ckfw/pem/pinst.c b/mozilla/security/nss/lib/ckfw/pem/pinst.c >index cd325ca..9c8682a 100644 >--- a/mozilla/security/nss/lib/ckfw/pem/pinst.c >+++ b/mozilla/security/nss/lib/ckfw/pem/pinst.c >@@ -54,50 +54,55 @@ int token_needsLogin[NUM_SLOTS]; > PRInt32 size = 0; > PRInt32 count = 0; > > #define PEM_ITEM_CHUNK 512 > > /* > * simple cert decoder to avoid the cost of asn1 engine > */ > static unsigned char * > dataStart(unsigned char *buf, unsigned int length, > unsigned int *data_length, > PRBool includeTag, unsigned char *rettag) > { > unsigned char tag; > unsigned int used_length = 0; >+ if (!length) >+ return NULL; > > tag = buf[used_length++]; > > if (rettag) { > *rettag = tag; > } > > /* blow out when we come to the end */ >- if (tag == 0) { >+ if (tag == 0 || length <= used_length) { > return NULL; > } > > *data_length = buf[used_length++]; > > if (*data_length & 0x80) { > int len_count = *data_length & 0x7f; > > *data_length = 0; > > while (len_count-- > 0) { >+ if (length <= used_length) >+ return NULL; >+ > *data_length = (*data_length << 8) | buf[used_length++]; > } > } > > if (*data_length > (length - used_length)) { > *data_length = length - used_length; > return NULL; > } > if (includeTag) > *data_length += used_length; > > return (buf + (includeTag ? 0 : used_length)); > } > > static int >diff --git a/mozilla/security/nss/lib/ckfw/pem/pobject.c b/mozilla/security/nss/lib/ckfw/pem/pobject.c >index 13569f8..eaf7943 100644 >--- a/mozilla/security/nss/lib/ckfw/pem/pobject.c >+++ b/mozilla/security/nss/lib/ckfw/pem/pobject.c >@@ -1162,30 +1162,34 @@ pem_CreateObject > if (nobjs < 1) > goto loser; > > certDER.len = 0; /* in case there is no equivalent cert */ > certDER.data = NULL; > > objid = -1; > for (i = 0; i < pem_nobjs; i++) { > if (NULL == gobj[i]) > continue; > > if ((slotID == gobj[i]->slotID) && (gobj[i]->type == pemCert)) { > objid = atoi(gobj[i]->id.data); > certDER.data = > (void *) nss_ZAlloc(NULL, gobj[i]->derCert->len); >+ >+ if (certDER.data == NULL) >+ goto loser; >+ > certDER.len = gobj[i]->derCert->len; > nsslibc_memcpy(certDER.data, gobj[i]->derCert->data, > gobj[i]->derCert->len); > } > } > > /* We're just adding a key, we'll assume the cert is next */ > if (objid == -1) > objid = pem_nobjs + 1; > > listItem->io = AddObjectIfNeeded(CKO_PRIVATE_KEY, pemBareKey, &certDER, > derlist[0], filename, objid, slotID); > if (listItem->io == NULL) > goto loser; > >diff --git a/mozilla/security/nss/lib/ckfw/pem/util.c b/mozilla/security/nss/lib/ckfw/pem/util.c >index 976772f..6a7495f 100644 >--- a/mozilla/security/nss/lib/ckfw/pem/util.c >+++ b/mozilla/security/nss/lib/ckfw/pem/util.c >@@ -232,34 +232,37 @@ ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii, > > /* Convert to binary */ > rv = ATOB_ConvertAsciiToItem(der, body); > if (rv) { > free(der); > goto loser; > } > if ((certsonly && !key) || (!certsonly && key)) { > PUT_Object(der, error); > } else { > free(der->data); > free(der); > } > } /* while */ > } else { /* No headers and footers, translate the blob */ >- der = nss_ZNEW(NULL, SECItem); >+ der = (SECItem *) malloc(sizeof(SECItem)); >+ if (der == NULL) >+ goto loser; >+ > rv = ATOB_ConvertAsciiToItem(der, asc); > if (rv) { >- nss_ZFreeIf(der); >+ free(der); > goto loser; > } > > /* NOTE: This code path has never been tested. */ > PUT_Object(der, error); > } > > nss_ZFreeIf(filedata.data); > filedata.data = 0; > filedata.len = 0; > } else { > /* Read in binary der */ > rv = FileToItem(der, inFile); > if (rv != SECSuccess) { > PR_Close(inFile);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=604040">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
rrelyea
: review+
kdudka
: review+
Actions:
View
|
Diff
Attachments on
bug 847462
:
603698
| 604040