yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-22 12:15:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix potential heap corruption on Windows

Browse Source 
If len is large enough, when cast to an int it will be negative and then the
test if( len > MAX_PATH - 3 ) will not behave as expected.
This commit is contained in:
Manuel Pégourié-Gonnard 2015-10-21 10:16:29 +02:00 committed by Manuel Pégourié-Gonnard
parent cdea97c1c3
commit 261faed725
2 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ChangeLog
View File

@ -1,5 +1,12 @@
mbed TLS ChangeLog (Sorted per branch, date) mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.2.0 released 2015-10-xx
Security
* Fix potential heap corruption on Windows when
mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
triggered remotely. Found by Guido Vranken, Interlworks.
= mbed TLS 2.1.2 released 2015-10-06 = mbed TLS 2.1.2 released 2015-10-06
Security Security

4
library/x509_crt.c
View File

@ -1097,7 +1097,7 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
WCHAR szDir[MAX_PATH]; WCHAR szDir[MAX_PATH];
char filename[MAX_PATH]; char filename[MAX_PATH];
char *p; char *p;
int len = (int) strlen( path ); size_t len = strlen( path );
WIN32_FIND_DATAW file_data; WIN32_FIND_DATAW file_data;
HANDLE hFind; HANDLE hFind;
@ -1131,7 +1131,7 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName, w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
lstrlenW( file_data.cFileName ), lstrlenW( file_data.cFileName ),
p, len - 1, p, (int) len - 1,
NULL, NULL ); NULL, NULL );
if( w_ret == 0 ) if( w_ret == 0 )
return( MBEDTLS_ERR_X509_FILE_IO_ERROR ); return( MBEDTLS_ERR_X509_FILE_IO_ERROR );