Source: xterm
Version: 327-2+deb9u1
Severity: serious
Justification: introduces use-after-realloc
debian/patches/CVE-2021-27135.patch changes button.c line (after
patching) 3747 to:
line = realloc(line, screen->selection_size);
But “line” is a local variable, the address of the buffer must
be stored in the one handed out, too, so please change this to:
if ((have * 2) < (size_t) j) {
Char *next = realloc(line, have + 1);
if (next) {
screen->selection_data = line = next;
screen->selection_size = have + 1;
}
}
This also deals properly with realloc failures (since we’re
shrinking, ignore them and just keep the older, larger area).
I’ve not looked at jessie-ELTS or buster-security whether they
are affected as well; sid is clean (and where I got the realloc
failure check necessity from, although sid’s free()s the buffer
if realloc fails; this isn’t needed @Tom).
bye,
//mirabilos
--
<ch> you introduced a merge commit │<mika> % g rebase -i HEAD^^
<mika> sorry, no idea and rebasing just fscked │<mika> Segmentation
<ch> should have cloned into a clean repo │ fault (core dumped)
<ch> if I rebase that now, it's really ugh │<mika:#grml> wuahhhhhh
