Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed TrioParse and trio_length limts.
CVE-2020-4030 thanks to @antonio-morales for finding this.
  • Loading branch information
akallabeth committed Jun 22, 2020
1 parent b8beb55 commit 05cd9ea
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 4 deletions.
6 changes: 3 additions & 3 deletions winpr/libwinpr/utils/trio/trio.c
Expand Up @@ -2729,7 +2729,7 @@ TRIO_PRIVATE void TrioWriteString TRIO_ARGS5((self, string, flags, width, precis
trio_class_t* self, TRIO_CONST char* string,
trio_flags_t flags, int width, int precision)
{
int length;
int length = 0;
int ch;

assert(VALID(self));
Expand All @@ -2747,7 +2747,7 @@ TRIO_PRIVATE void TrioWriteString TRIO_ARGS5((self, string, flags, width, precis
}
else
{
if (precision == 0)
if (precision <= 0)
{
length = trio_length(string);
}
Expand Down Expand Up @@ -4754,7 +4754,7 @@ TRIO_PUBLIC trio_pointer_t trio_register TRIO_ARGS2((callback, name), trio_callb
}

/* Bail out if namespace is too long */
if (trio_length(name) >= MAX_USER_NAME)
if (trio_length_max(name, MAX_USER_NAME) >= MAX_USER_NAME)
return NULL;

/* Bail out if namespace already is registered */
Expand Down
3 changes: 2 additions & 1 deletion winpr/libwinpr/utils/trio/triostr.c
Expand Up @@ -25,6 +25,7 @@
#include <assert.h>
#include <stdlib.h>
#include <string.h>
#include <limits.h>
#include <ctype.h>
#include "triodef.h"
#include "triostr.h"
Expand Down Expand Up @@ -328,7 +329,7 @@ TRIO_PUBLIC_STRING void trio_destroy TRIO_ARGS1((string), char* string)

TRIO_PUBLIC_STRING size_t trio_length TRIO_ARGS1((string), TRIO_CONST char* string)
{
return strlen(string);
return trio_length_max(string, INT_MAX);
}

#endif
Expand Down

0 comments on commit 05cd9ea

Please sign in to comment.