Augie Fackler <augie@google.com> [Mon, 30 Apr 2018 22:24:58 -0400] rev 37868
mpatch: avoid integer overflow in combine() (SEC)
All the callers of this function can handle a NULL return, so that
appears to be the "safe" way to report an error.
Augie Fackler <augie@google.com> [Mon, 30 Apr 2018 22:23:06 -0400] rev 37867
mpatch: avoid integer overflow in mpatch_decode (SEC)
Augie Fackler <augie@google.com> [Mon, 30 Apr 2018 22:20:13 -0400] rev 37866
mpatch: fix UB integer overflows in discard() (SEC)
Augie Fackler <augie@google.com> [Mon, 30 Apr 2018 22:15:11 -0400] rev 37865
mpatch: fix UB in int overflows in gather() (SEC)
Augie Fackler <augie@google.com> [Thu, 03 May 2018 12:54:20 -0400] rev 37864
mpatch: introduce a safesub() helper as well
Same reason as safeadd().
Augie Fackler <augie@google.com> [Mon, 30 Apr 2018 22:13:42 -0400] rev 37863
mpatch: introduce a safeadd() helper to work around UB int overflow
We're about to make extensive use of this. This change duplicates some
stdbool.h portability hacks from cext/util.h. We should probably clean
that up in the future, but we'll skip that for now in order to make
security backports easier.
Augie Fackler <augie@google.com> [Sat, 28 Apr 2018 10:09:12 -0400] rev 37862
mpatch: ensure fragment start isn't past the end of orig (SEC)
Caught by oss-fuzz fuzzer during development.
This defect is OVE-20180430-0004. A CVE has not been obtained as of
this writing.