Backport fix for CVE-20060224.

3 files changed, 61 insertions, 3 deletions

diff --git a/devel/libast/Makefile b/devel/libast/Makefile
index 0340c6db544..d7ab0564e14 100644
--- a/devel/libast/Makefile
+++ b/devel/libast/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.19 2006/02/05 23:08:44 joerg Exp $
+# $NetBSD: Makefile,v 1.20 2006/03/07 02:30:41 joerg Exp $
 
 DISTNAME=	libast-0.6.1
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	devel
 MASTER_SITES=  	http://www.eterm.org/download/
 
diff --git a/devel/libast/distinfo b/devel/libast/distinfo
index b2df70f8733..e34db69c4cf 100644
--- a/devel/libast/distinfo
+++ b/devel/libast/distinfo
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.3 2005/02/23 22:24:17 agc Exp $
+$NetBSD: distinfo,v 1.4 2006/03/07 02:30:41 joerg Exp $
 
 SHA1 (libast-0.6.1.tar.gz) = 894b9dda8e6f971e0192b78d05dc4812839a01cb
 RMD160 (libast-0.6.1.tar.gz) = 85d6a6433fe12c81d120adf7e6567c0676d26b8c
 Size (libast-0.6.1.tar.gz) = 356881 bytes
+SHA1 (patch-aa) = ae46e2d08170f491d13f573ca075166c3f6e1a2a
diff --git a/devel/libast/patches/patch-aa b/devel/libast/patches/patch-aa
new file mode 100644
index 00000000000..cb306283c25
--- /dev/null
+++ b/devel/libast/patches/patch-aa
@@ -0,0 +1,57 @@
+$NetBSD: patch-aa,v 1.3 2006/03/07 02:30:41 joerg Exp $
+
+--- src/conf.c.orig	2004-11-07 20:18:21.000000000 +0100
++++ src/conf.c
+@@ -721,14 +721,12 @@ spifconf_shell_expand(spif_charptr_t s)
+ 
+ /* The config file reader.  This looks for the config file by searching CONFIG_SEARCH_PATH.
+    If it can't find a config file, it displays a warning but continues. -- mej */
+-
+ spif_charptr_t 
+ spifconf_find_file(const spif_charptr_t file, const spif_charptr_t dir, const spif_charptr_t pathlist)
+ {
+     static spif_char_t name[PATH_MAX], full_path[PATH_MAX];
+     spif_charptr_t path, p;
+-    short maxpathlen;
+-    unsigned short len;
++    spif_int32_t len, maxpathlen;
+     struct stat fst;
+ 
+     REQUIRE_RVAL(file != NULL, NULL);
+@@ -737,6 +735,13 @@ spifconf_find_file(const spif_charptr_t 
+     D_CONF(("spifconf_find_file(\"%s\", \"%s\", \"%s\") called from directory \"%s\".\n",
+             file, NONULL(dir), NONULL(pathlist), name));
+ 
++    /* Make sure our supplied settings don't overflow. */
++    len = strlen(SPIF_CAST_C(char *) file) + ((dir) ? (strlen(SPIF_CAST_C(char *) dir)) : (0)) + 2;
++    if ((len > SPIF_CAST(int32) sizeof(name)) || (len <= 0)) {
++        D_CONF(("Too big.  I lose. :(\n"));
++        return ((spif_charptr_t) NULL);
++    }
++
+     if (dir) {
+         strcpy(SPIF_CAST_C(char *) name, SPIF_CAST_C(char *) dir);
+         strcat(SPIF_CAST_C(char *) name, "/");
+@@ -756,7 +761,7 @@ spifconf_find_file(const spif_charptr_t 
+     /* maxpathlen is the longest possible path we can stuff into name[].  The - 2 saves room for
+        an additional / and the trailing null. */
+     if ((maxpathlen = sizeof(name) - len - 2) <= 0) {
+-        D_CONF(("Too big.  I lose. :(\n", name));
++        D_CONF(("Too big.  I lose. :(\n"));
+         return ((spif_charptr_t) NULL);
+     }
+ 
+@@ -827,10 +832,12 @@ spifconf_open_file(spif_charptr_t name)
+     /* Check version number against current application version. */
+     begin_ptr = SPIF_STR_STR(ver_str) + spif_str_index(ver_str, SPIF_CAST(char) '-') + 1;
+     end_ptr = SPIF_STR_STR(ver_str) + spif_str_index(ver_str, SPIF_CAST(char) '>');
++    D_CONF(("Begin pointer is %10p (%s), end pointer is %10p (%s), length is %d, buffer size is %d\n",
++            begin_ptr, begin_ptr, end_ptr, end_ptr, SPIF_CAST_C(int) (end_ptr - begin_ptr), sizeof(buff)));
+     if (SPIF_PTR_ISNULL(end_ptr)) {
+         spiftool_safe_strncpy(buff, begin_ptr, sizeof(buff));
+     } else {
+-        testlen = MAX(SPIF_CAST_C(int) sizeof(buff), SPIF_CAST_C(int) (end_ptr - begin_ptr));
++        testlen = MIN(SPIF_CAST_C(int) sizeof(buff), SPIF_CAST_C(int) (end_ptr - begin_ptr + 1));
+         spiftool_safe_strncpy(buff, begin_ptr, testlen);
+     }
+     ver = spiftool_version_compare(buff, libast_program_version);