Fix heap overflow in ares_mkquery.
Thanks to the reporter for the patch.
BUG=chromium:649040
TEST=Trybots
Change-Id: Ic038b69c227d8637c213ec655ace6bd567040db2
Reviewed-on: https://chromium-review.googlesource.com/388126
Commit-Ready: Ricky Zhou <rickyz@chromium.org>
Tested-by: Ricky Zhou <rickyz@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
diff --git a/net-dns/c-ares/c-ares-1.7.5-r1.ebuild b/net-dns/c-ares/c-ares-1.7.5-r2.ebuild
similarity index 100%
rename from net-dns/c-ares/c-ares-1.7.5-r1.ebuild
rename to net-dns/c-ares/c-ares-1.7.5-r2.ebuild
diff --git a/net-dns/c-ares/c-ares-1.7.5.ebuild b/net-dns/c-ares/c-ares-1.7.5.ebuild
index 9a92eaa..9f043f9 100644
--- a/net-dns/c-ares/c-ares-1.7.5.ebuild
+++ b/net-dns/c-ares/c-ares-1.7.5.ebuild
@@ -4,6 +4,8 @@
EAPI=4
+inherit eutils
+
DESCRIPTION="C library that resolves names asynchronously"
HOMEPAGE="http://c-ares.haxx.se/"
SRC_URI="http://${PN}.haxx.se/download/${P}.tar.gz"
@@ -15,6 +17,11 @@
DOCS=( AUTHORS CHANGES README README.cares RELEASE-NOTES TODO )
+src_prepare() {
+ # chromium:649040
+ epatch "${FILESDIR}"/c-ares-1.7.5-mkquery-heap-overflow.patch
+}
+
src_configure() {
econf \
--enable-nonblocking \
diff --git a/net-dns/c-ares/files/c-ares-1.7.5-mkquery-heap-overflow.patch b/net-dns/c-ares/files/c-ares-1.7.5-mkquery-heap-overflow.patch
new file mode 100644
index 0000000..0651288
--- /dev/null
+++ b/net-dns/c-ares/files/c-ares-1.7.5-mkquery-heap-overflow.patch
@@ -0,0 +1,39 @@
+Fixes heap buffer overflow in ares_mkquery.
+
+If name ends with "\.", ares_mkquery allocates a query buffer that is
+one byte too small.
+
+https://crbug.com/649040
+
+--- c-ares-1.7.5/ares_mkquery.c
++++ c-ares-1.7.5/ares_mkquery.c
+@@ -96,20 +96,22 @@ int ares_mkquery(const char *name, int dnsclass, int type, unsigned short id,
+ *buflen = 0;
+ *buf = NULL;
+
+- /* Compute the length of the encoded name so we can check buflen.
+- * Start counting at 1 for the zero-length label at the end. */
++ /* Compute the length of the encoded name so we can allocate the buffer.
++ * Start counting at 1 to account for the first label's length field. */
+ len = 1;
+ for (p = name; *p; p++)
+ {
++ /* The length field of the last label is accounted for below. */
++ if (*p == '.' && *(p + 1) == 0)
++ break;
+ if (*p == '\\' && *(p + 1) != 0)
+ p++;
+ len++;
+ }
+- /* If there are n periods in the name, there are n + 1 labels, and
+- * thus n + 1 length fields, unless the name is empty or ends with a
+- * period. So add 1 unless name is empty or ends with a period.
+- */
+- if (*name && *(p - 1) != '.')
++
++ /* Account for the length field of the last label. If the name is "." or
++ * empty, the last label is the first label, which was already counted. */
++ if (*name && strcmp(name, ".") != 0)
+ len++;
+
+ /* Immediately reject names that are longer than the maximum of 255