Correct multiple security related errors: a buffer overflow, NULL

pointer dereferences, possible use of uninitialized variables, and memory leaks. Security: CAN-2005-0753 Security: FreeBSD-SA-05:05.cvs Approved by: peter
2026-05-28 04:12:45 -04:00 · 2005-04-22 17:58:25 +00:00 · 2005-04-22 17:58:25 +00:00 · 31363b6067
commit 31363b6067
parent de12942735
3 changed files with 12 additions and 8 deletions
--- a/contrib/cvs/src/login.c
+++ b/contrib/cvs/src/login.c
@ -116,7 +116,7 @@ password_entry_parseline (cvsroot_canonical, warn, linenumber, linebuf)

 	if (isspace(*(linebuf + 1)))
 	    /* special case since strtoul ignores leading white space */
-	    entry_version = 0;
+	    q = linebuf + 1;
 	else
 	    entry_version = strtoul (linebuf + 1, &q, 10);

--- a/contrib/cvs/src/patch.c
+++ b/contrib/cvs/src/patch.c
@ -10,6 +10,8 @@
 * Create a Larry Wall format "patch" file between a previous release and the
 * current head of a module, or between two releases.  Can specify the
 * release as either a date or a revision number.
+ *
+ * $FreeBSD$
 */

 #include <assert.h>
@ -385,6 +387,7 @@ patch_fileproc (callerdat, finfo)
    struct utimbuf t;
    char *vers_tag, *vers_head;
    char *rcs = NULL;
+    char *rcs_orig = NULL;
    RCSNode *rcsfile;
    FILE *fp1, *fp2, *fp3;
    int ret = 0;
@ -415,7 +418,7 @@ patch_fileproc (callerdat, finfo)
    if ((rcsfile->flags & VALID) && (rcsfile->flags & INATTIC))
 	isattic = 1;

-    rcs = xmalloc (strlen (finfo->file) + sizeof (RCSEXT) + 5);
+    rcs_orig = rcs = xmalloc (strlen (finfo->file) + sizeof (RCSEXT) + 5);
    (void) sprintf (rcs, "%s%s", finfo->file, RCSEXT);

    /* if vers_head is NULL, may have been removed from the release */
@ -757,8 +760,8 @@ failed to read diff file header %s for %s: end of file", tmpfile3, rcs);
 	free (vers_tag);
    if (vers_head != NULL)
 	free (vers_head);
-    if (rcs != NULL)
-	free (rcs);
+    if (rcs_orig)
+	free (rcs_orig);
    return ret;
 }

--- a/contrib/cvs/src/rcs.c
+++ b/contrib/cvs/src/rcs.c
@ -3041,8 +3041,7 @@ RCS_getdate (rcs, date, force_tag_match)
    if (retval != NULL)
 	return (retval);

-    if (!force_tag_match ||
-	(vers != NULL && RCS_datecmp (vers->date, date) <= 0))
+    if (vers && (!force_tag_match || RCS_datecmp (vers->date, date) <= 0))
 	return xstrdup (vers->version);
    else
 	return NULL;
@ -4139,7 +4138,7 @@ RCS_checkout (rcs, workfile, rev, nametag, options, sout, pfn, callerdat)
    size_t len;
    int free_value = 0;
    char *log = NULL;
-    size_t loglen;
+    size_t loglen = 0;
    Node *vp = NULL;
 #ifdef PRESERVE_PERMISSIONS_SUPPORT
    uid_t rcs_owner = (uid_t) -1;
@ -7457,7 +7456,7 @@ RCS_deltas (rcs, fp, rcsbuf, version, op, text, len, log, loglen)

 		for (ln = 0; ln < headlines.nlines; ++ln)
 		{
-		    char buf[80];
+		    char *buf;
 		    /* Period which separates year from month in date.  */
 		    char *ym;
 		    /* Period which separates month from day in date.  */
@ -7468,10 +7467,12 @@ RCS_deltas (rcs, fp, rcsbuf, version, op, text, len, log, loglen)
 		    if (prvers == NULL)
 			prvers = vers;

+		    buf = xmalloc (strlen (prvers->version) + 24);
 		    sprintf (buf, "%-12s (%-8.8s ",
 			     prvers->version,
 			     prvers->author);
 		    cvs_output (buf, 0);
+		    free (buf);

 		    /* Now output the date.  */
 		    ym = strchr (prvers->date, '.');