diff --git a/allow-const-names-for-set-progress-implementation.patch b/allow-const-names-for-set-progress-implementation.patch new file mode 100644 index 0000000000000000000000000000000000000000..11db8a04d5e3924ac4316a04e1ee186a8398c4ca --- /dev/null +++ b/allow-const-names-for-set-progress-implementation.patch @@ -0,0 +1,86 @@ +From ce8ce5bfc0f03a751de5c3b103a955e8e25a64e4 Mon Sep 17 00:00:00 2001 +From: Tim Rühsen +Date: Thu, 12 Dec 2019 17:27:58 +0100 +Subject: [PATCH] * src/progress.c: Allow const names for + set_progress_implementation. + +--- + src/progress.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/src/progress.c b/src/progress.c +index ecf0dc4f..8eddedd3 100644 +--- a/src/progress.c ++++ b/src/progress.c +@@ -51,7 +51,7 @@ struct progress_implementation { + void (*update) (void *, wgint, double); + void (*draw) (void *); + void (*finish) (void *, double); +- void (*set_params) (char *); ++ void (*set_params) (const char *); + }; + + /* Necessary forward declarations. */ +@@ -60,13 +60,13 @@ static void *dot_create (const char *, wgint, wgint); + static void dot_update (void *, wgint, double); + static void dot_finish (void *, double); + static void dot_draw (void *); +-static void dot_set_params (char *); ++static void dot_set_params (const char *); + + static void *bar_create (const char *, wgint, wgint); + static void bar_update (void *, wgint, double); + static void bar_draw (void *); + static void bar_finish (void *, double); +-static void bar_set_params (char *); ++static void bar_set_params (const char *); + + static struct progress_implementation implementations[] = { + { "dot", 0, dot_create, dot_update, dot_draw, dot_finish, dot_set_params }, +@@ -112,7 +112,7 @@ set_progress_implementation (const char *name) + { + size_t i, namelen; + struct progress_implementation *pi = implementations; +- char *colon; ++ const char *colon; + + if (!name) + name = DEFAULT_PROGRESS_IMPLEMENTATION; +@@ -437,7 +437,7 @@ dot_finish (void *progress, double dltime) + giga. */ + + static void +-dot_set_params (char *params) ++dot_set_params (const char *params) + { + if (!params || !*params) + params = opt.dot_style; +@@ -1217,18 +1217,20 @@ display_image (char *buf) + } + + static void +-bar_set_params (char *params) ++bar_set_params (const char *params) + { + if (params) + { +- char *param = strtok (params, ":"); +- do ++ for (const char *param = params; *param; ) + { +- if (0 == strcmp (param, "force")) ++ if (!strncmp (param, "force", 5)) + current_impl_locked = 1; +- else if (0 == strcmp (param, "noscroll")) ++ else if (!strncmp (param, "noscroll", 8)) + opt.noscroll = true; +- } while ((param = strtok (NULL, ":")) != NULL); ++ ++ if (*(param = strchrnul(param, ':'))) ++ param++; ++ } + } + + if (((opt.lfilename && opt.show_progress != 1) +-- +2.19.1.windows.1 diff --git a/avoid-triggering-signed-integer-overflow.patch b/avoid-triggering-signed-integer-overflow.patch new file mode 100644 index 0000000000000000000000000000000000000000..8d4712dd7fa9df03f3c76f86b26f69185d734f66 --- /dev/null +++ b/avoid-triggering-signed-integer-overflow.patch @@ -0,0 +1,28 @@ +From db1cbb29f40b3d2e88fe33b503a9c33319f4a7dd Mon Sep 17 00:00:00 2001 +Date: Fri, 13 Mar 2020 10:41:52 +0800 +Subject: [PATCH] avoid triggering signed integer overflow + +--- + src/html-url.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/html-url.c b/src/html-url.c +index 2f95357..409f2a0 100644 +--- a/src/html-url.c ++++ b/src/html-url.c +@@ -596,7 +596,11 @@ tag_handle_meta (int tagid _GL_UNUSED, struct taginfo *tag, struct map_context * + return; + + for (p = refresh; c_isdigit (*p); p++) +- timeout = 10 * timeout + *p - '0'; ++ { ++ if (timeout > INT_MAX >> 4 || *p - '0' > INT_MAX - 10 * timeout) ++ return; ++ timeout = 10 * timeout + *p - '0'; ++ } + if (*p++ != ';') + return; + +-- +2.23.0 + diff --git a/calc_rate-fix-division-by-zero.patch b/calc_rate-fix-division-by-zero.patch new file mode 100644 index 0000000000000000000000000000000000000000..af25316fbe2f5005c0f45bcc21beca18244b05b8 --- /dev/null +++ b/calc_rate-fix-division-by-zero.patch @@ -0,0 +1,25 @@ +From f5d1dcf7183d731d7e2a06313dacd1452f54b623 Mon Sep 17 00:00:00 2001 +From: Tim Rühsen +Date: Thu, 12 Dec 2019 13:46:38 +0100 +Subject: [PATCH] * src/retr.c (calc_rate): Fix division by 0 + +--- + src/retr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/retr.c b/src/retr.c +index 1f43c726..f3a82419 100644 +--- a/src/retr.c ++++ b/src/retr.c +@@ -826,7 +826,7 @@ calc_rate (wgint bytes, double secs, int *units) + 0 and the timer's resolution, assume half the resolution. */ + secs = ptimer_resolution () / 2.0; + +- dlrate = convert_to_bits (bytes) / secs; ++ dlrate = secs ? convert_to_bits (bytes) / secs : 0; + if (dlrate < bibyte) + *units = 0; + else if (dlrate < (bibyte * bibyte)) +-- +2.19.1.windows.1 + diff --git a/create_image-Sanitize-input-param-dl_total_time.patch b/create_image-Sanitize-input-param-dl_total_time.patch new file mode 100644 index 0000000000000000000000000000000000000000..115767e4154470796a0689e87fc54beab3f7b4fc --- /dev/null +++ b/create_image-Sanitize-input-param-dl_total_time.patch @@ -0,0 +1,30 @@ +From 0179138fe58134dec9abe77220d683c7dbb105e6 Mon Sep 17 00:00:00 2001 +From: Tim Rühsen +Date: Wed, 11 Dec 2019 12:29:54 +0100 +Subject: [PATCH] * src/progress.c (create_image): Sanitize input param + 'dl_total_time' + +--- + src/progress.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/progress.c b/src/progress.c +index 1db94546..574a035e 100644 +--- a/src/progress.c ++++ b/src/progress.c +@@ -950,6 +950,12 @@ create_image (struct bar_progress *bp, double dl_total_time, bool done) + if (progress_size < 5) + progress_size = 0; + ++ // sanitize input ++ if (dl_total_time >= INT_MAX) ++ dl_total_time = INT_MAX - 1; ++ else if (dl_total_time < 0) ++ dl_total_time = 0; ++ + if (orig_filename_cols <= MAX_FILENAME_COLS) + { + padding = MAX_FILENAME_COLS - orig_filename_cols; +-- +2.19.1.windows.1 + diff --git a/dot-draw-avoid-integer-overflows.patch b/dot-draw-avoid-integer-overflows.patch new file mode 100644 index 0000000000000000000000000000000000000000..128bc53b88749139b70b24c0b2f35487c7969bcd --- /dev/null +++ b/dot-draw-avoid-integer-overflows.patch @@ -0,0 +1,26 @@ +From 61b8078672233b6bbc24c67c4a909817fc7e878d Mon Sep 17 00:00:00 2001 +From: Tim Rühsen +Date: Thu, 12 Dec 2019 16:07:08 +0100 +Subject: [PATCH] * src/progress.c (dot_draw): Avoid integer overflow + +--- + src/progress.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/progress.c b/src/progress.c +index 06750531..ecf0dc4f 100644 +--- a/src/progress.c ++++ b/src/progress.c +@@ -386,7 +386,8 @@ dot_draw (void *progress) + ++dp->dots; + if (dp->dots >= opt.dots_in_line) + { +- ++dp->rows; ++ if (dp->rows < INT_MAX) ++ ++dp->rows; + dp->dots = 0; + + print_row_stats (dp, dp->dltime, false); +-- +2.19.1.windows.1 + diff --git a/dot-update-dot-finish-sanitize-input.patch b/dot-update-dot-finish-sanitize-input.patch new file mode 100644 index 0000000000000000000000000000000000000000..510aafad9e78d88afffba86f86f1d973e7f965f1 --- /dev/null +++ b/dot-update-dot-finish-sanitize-input.patch @@ -0,0 +1,45 @@ +From 542524855a46d66f18439688ffe61177cc867266 Mon Sep 17 00:00:00 2001 +From:Tim Rühsen +Date: Thu, 12 Dec 2019 13:47:30 +0100 +Subject: [PATCH] * src/progress.c (dot_update, dot_finish): Sanitize input + +--- + src/progress.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/progress.c b/src/progress.c +index 574a035e..d2778d41 100644 +--- a/src/progress.c ++++ b/src/progress.c +@@ -348,6 +348,15 @@ print_row_stats (struct dot_progress *dp, double dltime, bool last) + static void + dot_update (void *progress, wgint howmuch, double dltime) + { ++ // sanitize input ++ if (dltime >= INT_MAX) ++ dltime = INT_MAX - 1; ++ else if (dltime < 0) ++ dltime = 0; ++ ++ if (howmuch < 0) ++ howmuch = 0; ++ + struct dot_progress *dp = progress; + dp->accumulated += howmuch; + dp->dltime = dltime; +@@ -406,6 +415,12 @@ dot_finish (void *progress, double dltime) + logputs (LOG_PROGRESS, " "); + } + ++ // sanitize input ++ if (dltime >= INT_MAX) ++ dltime = INT_MAX - 1; ++ else if (dltime < 0) ++ dltime = 0; ++ + print_row_stats (dp, dltime, true); + logputs (LOG_VERBOSE, "\n\n"); + log_set_flush (false); +-- +2.19.1.windows.1 + diff --git a/fix-and-cleanup-progress-bar-code.patch b/fix-and-cleanup-progress-bar-code.patch new file mode 100644 index 0000000000000000000000000000000000000000..7ccb40558ecb42dc7c024c3b00ecb837860e09ae --- /dev/null +++ b/fix-and-cleanup-progress-bar-code.patch @@ -0,0 +1,153 @@ +From 33bc3aae517e4884f08928be9d6e4c941ec3f489 Mon Sep 17 00:00:00 2001 +From: vyachemail +Date: Sat, 25 Jan 2020 00:30:09 +0600 +Subject: [PATCH] Fix and cleanup progress bar code + +*src/progress.c + (struct dot_progress) accumulated, rows: Type changed to wgint + (print_row_stats): Fix missing unit name 'T' + (dot_update): Add ability to reduce dot_draw runtime + (bar_update): Avoid integer overflow +--- + src/progress.c | 63 ++++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 54 insertions(+), 9 deletions(-) + +diff --git a/src/progress.c b/src/progress.c +index 2fed72c0..296d8f30 100644 +--- a/src/progress.c ++++ b/src/progress.c +@@ -220,11 +220,11 @@ struct dot_progress { + wgint total_length; /* expected total byte count when the + download finishes */ + +- int accumulated; /* number of bytes accumulated after ++ wgint accumulated; /* number of bytes accumulated after + the last printed dot */ + + double dltime; /* download time so far */ +- int rows; /* number of rows printed so far */ ++ wgint rows; /* number of rows printed so far */ + int dots; /* number of dots printed in this row */ + + double last_timer_value; +@@ -282,6 +282,21 @@ dot_create (const char *f_download _GL_UNUSED, wgint initial, wgint total) + + static const char *eta_to_human_short (int, bool); + ++/* ADD_DOT_ROWS_THRS - minimal (1 << ADD_DOT_ROWS_THRS) ROWS to be added ++ to the current row if dp->accumulated too much. ++ Allows to reduce dot_draw io, times. ++ According to the way progress_update is currently has being called, this ++ should happens only when fuzzing, or (paranoia) if somehow buffer will ++ be too large. ++ Can be disabled by default if this is not fuzzing build. */ ++#ifndef ADD_DOT_ROWS_THRS ++#if FUZZING ++#define ADD_DOT_ROWS_THRS 2 ++#else ++#define ADD_DOT_ROWS_THRS 2 ++#endif ++#endif /* ADD_DOT_ROWS_THRS */ ++ + /* Prints the stats (percentage of completion, speed, ETA) for current + row. DLTIME is the time spent downloading the data in current + row. +@@ -291,7 +306,11 @@ static const char *eta_to_human_short (int, bool); + might be worthwhile to split it to two different functions. */ + + static void ++#if ADD_DOT_ROWS_THRS ++print_row_stats (struct dot_progress *dp, double dltime, bool last, wgint added_rows) ++#else + print_row_stats (struct dot_progress *dp, double dltime, bool last) ++#endif + { + const wgint ROW_BYTES = opt.dot_bytes * opt.dots_in_line; + +@@ -316,12 +335,16 @@ print_row_stats (struct dot_progress *dp, double dltime, bool last) + } + + { +- static char names[] = {' ', 'K', 'M', 'G'}; ++ static char names[] = {' ', 'K', 'M', 'G', 'T'}; + int units; + double rate; + wgint bytes_this_row; + if (!last) ++#if ADD_DOT_ROWS_THRS ++ bytes_this_row = ROW_BYTES * added_rows; ++#else + bytes_this_row = ROW_BYTES; ++#endif + else + /* For last row also include bytes accumulated after last dot. */ + bytes_this_row = dp->dots * opt.dot_bytes + dp->accumulated; +@@ -391,8 +414,9 @@ dot_draw (void *progress) + + log_set_flush (false); + +- for (; dp->accumulated >= dot_bytes; dp->accumulated -= dot_bytes) ++ while (dp->accumulated >= dot_bytes) + { ++ dp->accumulated -= dot_bytes; + if (dp->dots == 0) + logprintf (LOG_PROGRESS, "\n%6sK", + number_to_static_string (dp->rows * ROW_BYTES / 1024)); +@@ -404,11 +428,26 @@ dot_draw (void *progress) + ++dp->dots; + if (dp->dots >= opt.dots_in_line) + { +- if (dp->rows < INT_MAX) +- ++dp->rows; + dp->dots = 0; +- ++#if ADD_DOT_ROWS_THRS ++ { ++ wgint added_rows = 1; ++ if (dp->accumulated >= (ROW_BYTES << ADD_DOT_ROWS_THRS)) ++ { ++ added_rows += dp->accumulated / ROW_BYTES; ++ dp->accumulated %= ROW_BYTES; ++ } ++ if (WGINT_MAX - dp->rows >= added_rows) ++ dp->rows += added_rows; ++ else ++ dp->rows = WGINT_MAX; ++ print_row_stats (dp, dp->dltime, false, added_rows); ++ } ++#else ++ if (dp->rows < WGINT_MAX) ++ ++dp->rows; + print_row_stats (dp, dp->dltime, false); ++#endif /* ADD_DOT_ROWS_THRS */ + } + } + +@@ -441,8 +480,11 @@ dot_finish (void *progress, double dltime) + dltime = INT_MAX - 1; + else if (dltime < 0) + dltime = 0; +- ++#if ADD_DOT_ROWS_THRS ++ print_row_stats (dp, dltime, true, 1); ++#else + print_row_stats (dp, dltime, true); ++#endif + logputs (LOG_VERBOSE, "\n\n"); + log_set_flush (false); + +@@ -721,7 +763,10 @@ bar_update (void *progress, wgint howmuch, double dltime) + struct bar_progress *bp = progress; + + bp->dltime = dltime; +- bp->count += howmuch; ++ if (WGINT_MAX - (bp->count + bp->initial_length) >= howmuch) ++ bp->count += howmuch; ++ else ++ bp->count = WGINT_MAX - bp->initial_length; + if (bp->total_length > 0 + && bp->count + bp->initial_length > bp->total_length) + /* We could be downloading more than total_length, e.g. when the +-- +2.19.1.windows.1 + diff --git a/fix-buffer-overflows-in-progress-bar-code.patch b/fix-buffer-overflows-in-progress-bar-code.patch new file mode 100644 index 0000000000000000000000000000000000000000..c9ed1afc199a87a9249aaecabb988b94bae622d6 --- /dev/null +++ b/fix-buffer-overflows-in-progress-bar-code.patch @@ -0,0 +1,139 @@ +From 07eebd2a2002c709f2332e411e593497fe7b3598 Mon Sep 17 00:00:00 2001 +From: Tim Rühsen +Date: Thu, 12 Dec 2019 13:25:43 +0100 +Subject: [PATCH] Fix buffer overflows in progress 'bar' code + +* src/progress.c (progress_interactive_p): Sanitize input. + (progress_update): Likewise. + (bar_create): Use larger BUF_LEN. + (bar_create): Remove superfluous memset. + (bar_create): Fix filename layout. + (bar_create): Remove filename scrolling code, it caused many buffer + overflows later in bar_create. + (bar_create): Support TB/s download speed. +--- + src/progress.c | 51 +++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 38 insertions(+), 13 deletions(-) + +diff --git a/src/progress.c b/src/progress.c +index 02b6f04d..96d00398 100644 +--- a/src/progress.c ++++ b/src/progress.c +@@ -184,6 +184,15 @@ progress_interactive_p (void *progress _GL_UNUSED) + void + progress_update (void *progress, wgint howmuch, double dltime) + { ++ // sanitize input ++ if (dltime >= INT_MAX) ++ dltime = INT_MAX - 1; ++ else if (dltime < 0) ++ dltime = 0; ++ ++ if (howmuch < 0) ++ howmuch = 0; ++ + current_impl->update (progress, howmuch, dltime); + current_impl->draw (progress); + } +@@ -194,6 +203,12 @@ progress_update (void *progress, wgint howmuch, double dltime) + void + progress_finish (void *progress, double dltime) + { ++ // sanitize input ++ if (dltime >= INT_MAX) ++ dltime = INT_MAX - 1; ++ else if (dltime < 0) ++ dltime = 0; ++ + current_impl->finish (progress, dltime); + } + +@@ -612,8 +627,8 @@ bar_create (const char *f_download, wgint initial, wgint total) + bp->width = screen_width - 1; + /* + enough space for the terminating zero, and hopefully enough room + * for multibyte characters. */ +-#define BUF_LEN (bp->width + 100) +- bp->buffer = xmalloc (BUF_LEN); ++#define BUF_LEN (bp->width * 2 + 100) ++ bp->buffer = xcalloc (BUF_LEN, 1); + + logputs (LOG_VERBOSE, "\n"); + +@@ -965,8 +980,6 @@ create_image (struct bar_progress *bp, double dl_total_time, bool done) + int cols_diff; + const char *down_size; + +- memset (bp->buffer, '\0', BUF_LEN); +- + if (progress_size < 5) + progress_size = 0; + +@@ -976,15 +989,20 @@ create_image (struct bar_progress *bp, double dl_total_time, bool done) + else if (dl_total_time < 0) + dl_total_time = 0; + +- if (orig_filename_cols <= MAX_FILENAME_COLS) ++ if (orig_filename_cols < MAX_FILENAME_COLS) + { +- padding = MAX_FILENAME_COLS - orig_filename_cols; +- p += sprintf (p, "%s ", bp->f_download); ++ p += sprintf (p, "%s", bp->f_download); ++ padding = MAX_FILENAME_COLS - orig_filename_cols + 1; + memset (p, ' ', padding); + p += padding; + } + else + { ++ memcpy(p, bp->f_download, MAX_FILENAME_COLS); ++ p += MAX_FILENAME_COLS; ++ *p++ = ' '; ++ } ++/* + int offset_cols; + int bytes_in_filename, offset_bytes, col; + int *cols_ret = &col; +@@ -1021,6 +1039,7 @@ create_image (struct bar_progress *bp, double dl_total_time, bool done) + memset (p, ' ', padding + 1); + p += padding + 1; + } ++*/ + + /* "xx% " */ + if (bp->total_length > 0) +@@ -1109,8 +1128,8 @@ create_image (struct bar_progress *bp, double dl_total_time, bool done) + /* " 12.52Kb/s or 12.52KB/s" */ + if (hist->total_time > 0 && hist->total_bytes) + { +- static const char *short_units[] = { " B/s", "KB/s", "MB/s", "GB/s" }; +- static const char *short_units_bits[] = { " b/s", "Kb/s", "Mb/s", "Gb/s" }; ++ static const char *short_units[] = { " B/s", "KB/s", "MB/s", "GB/s", "TB/s" }; ++ static const char *short_units_bits[] = { " b/s", "Kb/s", "Mb/s", "Gb/s", "Tb/s" }; + int units = 0; + /* Calculate the download speed using the history ring and + recent data that hasn't made it to the ring yet. */ +@@ -1192,12 +1211,18 @@ create_image (struct bar_progress *bp, double dl_total_time, bool done) + } + } + ++ *p = '\0'; ++ + padding = bp->width - count_cols (bp->buffer); + assert (padding >= 0 && "Padding length became non-positive!"); +- padding = padding > 0 ? padding : 0; +- memset (p, ' ', padding); +- p += padding; +- *p = '\0'; ++ if (padding > 0) ++ { ++// if (padding > BUF_LEN - (p - bp->buffer) - 1) ++// padding = BUF_LEN - (p - bp->buffer) - 1; ++ memset (p, ' ', padding); ++ p += padding; ++ *p = '\0'; ++ } + + /* 2014-11-14 Darshit Shah + * Assert that the length of the progress bar is lesser than the size of the +-- +2.19.1.windows.1 + diff --git a/fix-segfault-in-progress-bar-in-certain-locales.patch b/fix-segfault-in-progress-bar-in-certain-locales.patch new file mode 100644 index 0000000000000000000000000000000000000000..7733db3adbfc733f739384a4cbf4dd5c11e435f3 --- /dev/null +++ b/fix-segfault-in-progress-bar-in-certain-locales.patch @@ -0,0 +1,47 @@ +From 6bd74e33d6d0ccc43031405819a6766382823828 Mon Sep 17 00:00:00 2001 +From: Tim Rühsen +Date: Wed, 18 Dec 2019 13:06:46 +0100 +Subject: [PATCH] Fix segfault in progress bar in certain locales + +* src/progress.c (create_image): Protect memset from negative count + +Reported-by: JunDong Xie +--- + src/progress.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/progress.c b/src/progress.c +index 80775b0c..63bebab8 100644 +--- a/src/progress.c ++++ b/src/progress.c +@@ -1099,8 +1099,11 @@ create_image (struct bar_progress *bp, double dl_total_time, bool done) + /* " 234.56M" */ + down_size = human_readable (size, 1000, 2); + cols_diff = PROGRESS_FILESIZE_LEN - count_cols (down_size); +- memset (p, ' ', cols_diff); +- p += cols_diff; ++ if (cols_diff > 0) ++ { ++ memset (p, ' ', cols_diff); ++ p += cols_diff; ++ } + p += sprintf (p, "%s", down_size); + + /* " 12.52Kb/s or 12.52KB/s" */ +@@ -1182,8 +1185,11 @@ create_image (struct bar_progress *bp, double dl_total_time, bool done) + else + ncols += sprintf (p + nbytes, "%ss", print_decimal (dl_total_time)); + p += ncols + bytes_cols_diff; +- memset (p, ' ', PROGRESS_ETA_LEN - ncols); +- p += PROGRESS_ETA_LEN - ncols; ++ if (ncols < PROGRESS_ETA_LEN) ++ { ++ memset (p, ' ', PROGRESS_ETA_LEN - ncols); ++ p += PROGRESS_ETA_LEN - ncols; ++ } + } + + padding = bp->width - count_cols (bp->buffer); +-- +2.19.1.windows.1 + diff --git a/fix-ub-print-row-stats-if-eta-negative.patch b/fix-ub-print-row-stats-if-eta-negative.patch new file mode 100644 index 0000000000000000000000000000000000000000..019821eb1b292cdacb5230631581a30c0056763d --- /dev/null +++ b/fix-ub-print-row-stats-if-eta-negative.patch @@ -0,0 +1,25 @@ +From abe1ab191698f4e3e337b5436c7060a0e4d103d7 Mon Sep 17 00:00:00 2001 +From: Tim Rühsen +Date: Thu, 12 Dec 2019 13:53:44 +0100 +Subject: [PATCH] * src/progress.c (print_row_stats): Fix UB if eta < 0 + +--- + src/progress.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/progress.c b/src/progress.c +index d2778d41..06750531 100644 +--- a/src/progress.c ++++ b/src/progress.c +@@ -327,6 +327,8 @@ print_row_stats (struct dot_progress *dp, double dltime, bool last) + /* The quantity downloaded in this download run. */ + wgint bytes_sofar = bytes_displayed - dp->initial_length; + double eta = dltime * bytes_remaining / bytes_sofar; ++ if (eta < 0) ++ eta = 0; + if (eta < INT_MAX - 1) + logprintf (LOG_PROGRESS, " %s", + eta_to_human_short ((int) (eta + 0.5), true)); +-- +2.19.1.windows.1 + diff --git a/print-row-stats-fix-two-integer-overflows.patch b/print-row-stats-fix-two-integer-overflows.patch new file mode 100644 index 0000000000000000000000000000000000000000..ed97600162596b23d3b5c57f75c0b65bed65d2cc --- /dev/null +++ b/print-row-stats-fix-two-integer-overflows.patch @@ -0,0 +1,38 @@ +From e2c0c2fbe5efd5da5524553189e376d53194a037 Mon Sep 17 00:00:00 2001 +From: Tim Rühsen +Date: Thu, 12 Dec 2019 16:14:57 +0100 +Subject: [PATCH] * src/progress.c (print_row_stats): Fix two integer overflows + +--- + src/progress.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/progress.c b/src/progress.c +index 96d00398..4217c620 100644 +--- a/src/progress.c ++++ b/src/progress.c +@@ -303,6 +303,9 @@ print_row_stats (struct dot_progress *dp, double dltime, bool last) + /* For last row also count bytes accumulated after last dot */ + bytes_displayed += dp->accumulated; + ++ if (bytes_displayed < 0) ++ bytes_displayed = 0; ++ + if (dp->total_length) + { + /* Round to floor value to provide gauge how much data *has* +@@ -338,9 +341,9 @@ print_row_stats (struct dot_progress *dp, double dltime, bool last) + Belperchinov-Shabanski's "wget-new-percentage" patch. */ + if (dp->total_length) + { +- wgint bytes_remaining = dp->total_length - bytes_displayed; ++ wgint bytes_remaining = dp->total_length > bytes_displayed ? dp->total_length - bytes_displayed : 0; + /* The quantity downloaded in this download run. */ +- wgint bytes_sofar = bytes_displayed - dp->initial_length; ++ wgint bytes_sofar = bytes_displayed > dp->initial_length ? bytes_displayed - dp->initial_length : 1; + double eta = dltime * bytes_remaining / bytes_sofar; + if (eta < 0) + eta = 0; +-- +2.19.1.windows.1 + diff --git a/wget.spec b/wget.spec index dde6661a3008d808a22becb5ad3d4eaf54c27d96..c15735055db7e3f2a3b7d1e7398631eed6db3dc7 100644 --- a/wget.spec +++ b/wget.spec @@ -1,11 +1,24 @@ Name: wget Version: 1.20.3 -Release: 1 +Release: 2 Summary: A package for retrieving files using HTTP, HTTPS, FTP and FTPS the most widely-used Internet protocols. License: GPLv3+ Url: http://www.gnu.org/software/wget/ Source: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz +Patch6000: create_image-Sanitize-input-param-dl_total_time.patch +Patch6001: allow-const-names-for-set-progress-implementation.patch +Patch6002: fix-ub-print-row-stats-if-eta-negative.patch +Patch6003: dot-update-dot-finish-sanitize-input.patch +Patch6004: fix-segfault-in-progress-bar-in-certain-locales.patch +Patch6005: fix-buffer-overflows-in-progress-bar-code.patch +Patch6006: calc_rate-fix-division-by-zero.patch +Patch6007: print-row-stats-fix-two-integer-overflows.patch +Patch6008: dot-draw-avoid-integer-overflows.patch +Patch6009: fix-and-cleanup-progress-bar-code.patch + +Patch9000: avoid-triggering-signed-integer-overflow.patch + Provides: webclient bundled(gnulib) BuildRequires: perl-HTTP-Daemon python3 libuuid-devel perl-podlators libpsl-devel libmetalink-devel BuildRequires: gnutls-devel pkgconfig texinfo gettext autoconf libidn2-devel gpgme-devel zlib-devel @@ -52,6 +65,12 @@ make check %{_infodir}/* %changelog +* Thu Apr 23 2020 openEuler Buildteam - 1.20.3-2 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:Sanitize input param dl_total_time + * Sat Jan 11 2020 openEuler Buildteam - 1.20.3-1 - Type:NA - ID:NA