Bug 1275400 - Porting upstream fixes for use-after-free vulnerability of libical. r=philipp DONTBUILD
authorMakeMyDay <makemyday@gmx-topmail.de>
Thu, 27 Sep 2018 15:35:26 +0200
changeset 33255 4a2171ca49dac042b79ce673444c0e62ebab613f
parent 33254 6fbac9b8d7fd258b31469abe28090ace20c92b53
child 33256 42792e593b1acf771d6a8ef560663d6a60162d3d
push id387
push userclokep@gmail.com
push dateMon, 10 Dec 2018 21:30:47 +0000
reviewersphilipp
bugs1275400
Bug 1275400 - Porting upstream fixes for use-after-free vulnerability of libical. r=philipp DONTBUILD https://github.com/libical/libical/ * Issue 253 / Commit 6b9438d746cec6e4e632d78c5244f4be6314d1c9 * Issue 251 / Commit 38757abb495ea6cb40faa5418052278bf75040f7 * Issue 251 / Commit 830d9530817516377c2bc3b532798ce2c6b4765a
calendar/libical/src/libical/icalparser.c
calendar/libical/src/libical/icaltime.c
calendar/libical/src/libical/icaltypes.c
--- a/calendar/libical/src/libical/icalparser.c
+++ b/calendar/libical/src/libical/icalparser.c
@@ -726,34 +726,20 @@ icalcomponent* icalparser_add_line(icalp
 	icalcomponent *c;
         icalcomponent_kind comp_kind;
 
 	icalmemory_free_buffer(str);
 	str = NULL;
 
 	parser->level++;
 	str = parser_get_next_value(end,&end, value_kind);
-	    
-
-        comp_kind = icalenum_string_to_component_kind(str);
-
-
-        if (comp_kind == ICAL_NO_COMPONENT){
-
 
-	    c = icalcomponent_new(ICAL_XLICINVALID_COMPONENT);
-	    insert_error(c,str,"Parse error in component name",
-			 ICAL_XLICERRORTYPE_COMPONENTPARSEERROR);
-        }
+    comp_kind = icalenum_string_to_component_kind(str);
 
-	if (comp_kind != ICAL_X_COMPONENT) {
-	    c  =  icalcomponent_new(comp_kind);
-	} else {
-	    c  =  icalcomponent_new_x(str);
-	}
+    c  =  icalcomponent_new(comp_kind);
 
 	if (c == 0){
 	    c = icalcomponent_new(ICAL_XLICINVALID_COMPONENT);
 	    insert_error(c,str,"Parse error in component name",
 			 ICAL_XLICERRORTYPE_COMPONENTPARSEERROR);
 	}
 	    
 	pvl_push(parser->components,c);
--- a/calendar/libical/src/libical/icaltime.c
+++ b/calendar/libical/src/libical/icaltime.c
@@ -512,30 +512,30 @@ struct icaltimetype icaltime_from_string
     struct icaltimetype tt = icaltime_null_time();
     int size;
 
     icalerror_check_arg_re(str!=0,"str",icaltime_null_time());
 
     size = strlen(str);
     
     if ((size == 15) || (size == 19)) { /* floating time with/without separators*/
-	tt.is_utc = 0;
-	tt.is_date = 0;
+        tt.is_utc = 0;
+        tt.is_date = 0;
     } else if ((size == 16) || (size == 20)) { /* UTC time, ends in 'Z'*/
-	if ((str[15] != 'Z') && (str[19] != 'Z'))
-	    goto FAIL;
+        if ((str[size-1] != 'Z'))
+            goto FAIL;
 
-	tt.is_utc = 1;
-	tt.zone = icaltimezone_get_utc_timezone();
-	tt.is_date = 0;
+        tt.is_utc = 1;
+        tt.zone = icaltimezone_get_utc_timezone();
+        tt.is_date = 0;
     } else if ((size == 8) || (size == 10)) { /* A DATE */
-	tt.is_utc = 0;
-	tt.is_date = 1;
+        tt.is_utc = 0;
+        tt.is_date = 1;
     } else { /* error */
-	goto FAIL;
+        goto FAIL;
     }
 
     if (tt.is_date == 1){
         if (size == 10) {
             char dsep1, dsep2;    
             if (sscanf(str,"%04d%c%02d%c%02d",&tt.year,&dsep1,&tt.month,&dsep2,&tt.day) < 5)
                 goto FAIL;
             if ((dsep1 != '-') || (dsep2 != '-'))
--- a/calendar/libical/src/libical/icaltypes.c
+++ b/calendar/libical/src/libical/icaltypes.c
@@ -161,17 +161,17 @@ struct icalreqstattype icalreqstattype_f
 
   /* Just ignore the second clause; it will be taken from inside the library 
    */
 
 
 
   p2 = strchr(p1+1,';');
   if (p2 != 0 && *p2 != 0){
-    stat.debug = p2+1;
+    stat.debug = icalmemory_tmp_copy(p2 + 1);
   } 
 
   return stat;
   
 }
 
 const char* icalreqstattype_as_string(struct icalreqstattype stat)
 {