View Single Post
  #1   (View Single Post)  
Old 23rd April 2012
jsmith6134 jsmith6134 is offline
Port Guard
Join Date: May 2009
Posts: 10
Default patch for CVE-2012-2110 - incorrect?

I was examining the patch for security fix for 5.0:

part of the patch looks incorrect:

- if (!BUF_MEM_grow_clean(b,len+want))
+ if (len + want < len || !BUF_MEM_grow_clean(b,len+want))

"len + want < len" should always be false unless "want" can be negative. If "want" could be negative and that is what the author was trying to detect, then the code should be written:

+ if (want < 0 || !BUF_MEM_grow_clean(b,len+want))

I realize the patch does not show the full source for the file. Am I missing something?
Reply With Quote