From 1f92831170d5be9cb0511f6f9360d3c2daf3d24c Mon Sep 17 00:00:00 2001
From: "\"Steven J. Hill\"" <sjhill@realitydiluted.com>
Date: Mon, 7 May 2007 03:58:30 +0000
Subject: Add new packages.

---
 package/curl/curl-7.13.1-cve-2005-4077.patch | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 package/curl/curl-7.13.1-cve-2005-4077.patch

(limited to 'package/curl/curl-7.13.1-cve-2005-4077.patch')

diff --git a/package/curl/curl-7.13.1-cve-2005-4077.patch b/package/curl/curl-7.13.1-cve-2005-4077.patch
new file mode 100644
index 000000000..8960ea79a
--- /dev/null
+++ b/package/curl/curl-7.13.1-cve-2005-4077.patch
@@ -0,0 +1,23 @@
+--- curl-7.13.1/lib/url.c.cve-2005-4077	2005-12-08 13:08:03.000000000 +0100
++++ curl-7.13.1/lib/url.c	2005-12-08 13:15:56.565790336 +0100
+@@ -2313,12 +2313,18 @@
+   if(urllen < LEAST_PATH_ALLOC)
+     urllen=LEAST_PATH_ALLOC;
+ 
+-  conn->pathbuffer=(char *)malloc(urllen);
++  /*
++   * We malloc() the buffers below urllen+2 to make room for to possibilities:
++   * 1 - an extra terminating zero
++   * 2 - an extra slash (in case a syntax like "www.host.com?moo" is used)
++   */
++
++  conn->pathbuffer=(char *)malloc(urllen+3);
+   if(NULL == conn->pathbuffer)
+     return CURLE_OUT_OF_MEMORY; /* really bad error */
+   conn->path = conn->pathbuffer;
+ 
+-  conn->host.rawalloc=(char *)malloc(urllen);
++  conn->host.rawalloc=(char *)malloc(urllen+3);
+   if(NULL == conn->host.rawalloc)
+     return CURLE_OUT_OF_MEMORY;
+   conn->host.name = conn->host.rawalloc;
-- 
cgit v1.2.3