[Bug 84657] Re: Security update for rar/unrar (CVE-2007-0855)
Kees Cook
kees at ubuntu.com
Mon Feb 12 06:05:58 GMT 2007
Seem the multi-byte actions should only happen if the entire range
passes IS_VM_MEM()? Instead of:
+ if (IS_VM_MEM(Addr))
+ {
+ ((byte *)Addr)[0]=(byte)Value;
+ ((byte *)Addr)[1]=(byte)(Value>>8);
+ ((byte *)Addr)[2]=(byte)(Value>>16);
+ ((byte *)Addr)[3]=(byte)(Value>>24);
Does this make more sense:
+ if (IS_VM_MEM(Addr) &&
+ IS_VM_MEM(&((byte*)Addr[3]))
+ {
+ ((byte *)Addr)[0]=(byte)Value;
+ ((byte *)Addr)[1]=(byte)(Value>>8);
+ ((byte *)Addr)[2]=(byte)(Value>>16);
+ ((byte *)Addr)[3]=(byte)(Value>>24);
--
Security update for rar/unrar (CVE-2007-0855)
https://launchpad.net/bugs/84657
More information about the ubuntu-backports
mailing list