Bug#774236: marked as done (unblock: libmspack/0.4-2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 30 Dec 2014 18:30:40 +0100
with message-id <20141230173039.GB19299@ugent.be>
and subject line Re: Bug#774236: unblock: libmspack/0.4-2
has caused the Debian Bug report #774236,
regarding unblock: libmspack/0.4-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
774236: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774236
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian BTS <submit@bugs.debian.org>
• Subject: unblock: libmspack/0.4-2
• From: Marc Dequènes (duck) <duck@duckcorp.org>
• Date: Tue, 30 Dec 2014 18:06:27 +0100
• Message-id: <[🔎] d900111a275185d56aa67d60eac1696a@webmail-rc.duckcorp.org>
• Reply-to: duck@duckcorp.org

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal


Coin,

This upload fixes a nasty hang with security implications (see #773041). It only affects wheezy through this library. The patch is quite small and that's the only change (debdiff attached).

Command:
  unblock libmspack/0.4-2

Thanks.

--
Marc Dequènes

diff -Nru libmspack-0.4/debian/changelog libmspack-0.4/debian/changelog
--- libmspack-0.4/debian/changelog	2013-08-16 23:52:26.000000000 +0200
+++ libmspack-0.4/debian/changelog	2014-12-30 17:44:28.000000000 +0100
@@ -1,3 +1,10 @@
+libmspack (0.4-2) unstable; urgency=medium
+
+  * Added patch 'qtmd-fix-frame_end-overflow.patch' to fix an overflow
+    causing an infinite loop in some situation (Closes: #773041).
+
+ -- Marc Dequènes (Duck) <Duck@DuckCorp.org>  Tue, 30 Dec 2014 17:40:47 +0100
+
 libmspack (0.4-1) unstable; urgency=low
 
   * Initial release. (Closes: #711232)
diff -Nru libmspack-0.4/debian/patches/qtmd-fix-frame_end-overflow.patch libmspack-0.4/debian/patches/qtmd-fix-frame_end-overflow.patch
--- libmspack-0.4/debian/patches/qtmd-fix-frame_end-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmspack-0.4/debian/patches/qtmd-fix-frame_end-overflow.patch	2014-12-30 17:30:17.000000000 +0100
@@ -0,0 +1,62 @@
+From a0449d2079c4ba5822e6567ad7094c10108f16cd Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date: Tue, 23 Dec 2014 21:20:43 +0100
+Subject: libmspack: qtmd: fix frame_end overflow
+
+Debian bts #773041, #772891 contains a report of a .cab file which
+causes an endless loop.
+Eric Sharkey diagnosed the problem as frame_end is 32bit and overflows
+and the result the loop makes no progress.
+The problem seems that after the overflow, window_posn is larger than
+frame_end and therefore we never enter the loop to make progress. But we
+still have out_bytes >0 so we don't leave the outer loop either.
+
+Andreas Cadhalpun suggested to instead makeing frame_end 64bit, we could
+avoid the overflow by reordering the code the following way:
+
+original, with just out_bytes (without (qtm->o_end - qtm->o_ptr))
+| frame_end = window_posn + out_bytes;
+| if ((window_posn + frame_todo) < frame_end) {
+|         frame_end = window_posn + frame_todo;
+| }
+
+replace frame_end in "if" with its content (and move the first frame_end
+into the else path)
+| if ((window_posn + frame_todo) < (window_posn + out_bytes))
+|         frame_end = window_posn + frame_todo;
+| else
+|         frame_end = window_posn + out_bytes;
+
+remove window_posn from "if" since it is the same both times.
+| if (frame_todo <  out_bytes)
+|         frame_end = window_posn + frame_todo;
+| else
+|         frame_end = window_posn + out_bytes;
+
+Andreas added:
+|This works, because frame_todo is at most QTM_FRAME_SIZE = 32768.
+
+Suggested-as-patch: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
+[sebastian@breakpoint: added patch description]
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ libmspack/mspack/qtmd.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/mspack/qtmd.c b/mspack/qtmd.c
+index 12b27f5608c4..e584aef8e576 100644
+--- a/mspack/qtmd.c
++++ b/mspack/qtmd.c
+@@ -296,9 +296,10 @@ int qtmd_decompress(struct qtmd_stream *qtm, off_t out_bytes) {
+ 
+     /* decode more, up to the number of bytes needed, the frame boundary,
+      * or the window boundary, whichever comes first */
+-    frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));
+-    if ((window_posn + frame_todo) < frame_end) {
++    if (frame_todo < (out_bytes - (qtm->o_end - qtm->o_ptr))) {
+       frame_end = window_posn + frame_todo;
++    } else {
++      frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));
+     }
+     if (frame_end > qtm->window_size) {
+       frame_end = qtm->window_size;
diff -Nru libmspack-0.4/debian/patches/series libmspack-0.4/debian/patches/series
--- libmspack-0.4/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libmspack-0.4/debian/patches/series	2014-12-30 17:10:37.000000000 +0100
@@ -0,0 +1 @@
+qtmd-fix-frame_end-overflow.patch

--- End Message ---

--- Begin Message ---

• To: duck@duckcorp.org, 774236-done@bugs.debian.org
• Subject: Re: Bug#774236: unblock: libmspack/0.4-2
• From: Ivo De Decker <ivodd@debian.org>
• Date: Tue, 30 Dec 2014 18:30:40 +0100
• Message-id: <20141230173039.GB19299@ugent.be>
• In-reply-to: <[🔎] d900111a275185d56aa67d60eac1696a@webmail-rc.duckcorp.org>
• References: <[🔎] d900111a275185d56aa67d60eac1696a@webmail-rc.duckcorp.org>

Hi,

On Tue, Dec 30, 2014 at 06:06:27PM +0100, Marc Dequènes wrote:
> unblock libmspack/0.4-2

Unblocked.

Cheers,

Ivo

--- End Message ---