Codebase list rust-libslirp / 72e4619
Add patch to http for fixing RUSTSEC-2019-0033 Wolfgang Silbermayr 3 years ago
4 changed file(s) with 63 addition(s) and 2 deletion(s). Raw diff Collapse all Expand all
+7
-0
src/http/debian/changelog less more
0 rust-http (0.1.19-2) UNRELEASED-FIXME-AUTOGENERATED-DEBCARGO; urgency=medium
1
2 * Package http 0.1.19 from crates.io using debcargo 2.4.3
3 * Resolve RUSTSEC-2019-0033 (Closes: #969896)
4
5 -- Wolfgang Silbermayr <wolfgang@silbermayr.at> Mon, 08 Mar 2021 07:13:40 +0100
6
07 rust-http (0.1.19-1) unstable; urgency=medium
18
29 * Package http 0.1.19 from crates.io using debcargo 2.4.0
+2
-2
src/http/debian/copyright.debcargo.hint less more
3333
3434 Files: debian/*
3535 Copyright:
36 2018-2019 Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
37 2018-2019 Wolfgang Silbermayr <wolfgang@silbermayr.at>
36 2018-2021 Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
37 2018-2021 Wolfgang Silbermayr <wolfgang@silbermayr.at>
3838 License: MIT or Apache-2.0
3939
4040 License: Apache-2.0
+53
-0
src/http/debian/patches/fix-capacity-overflows-in-headermap-reserve.patch less more
0 From 81ceb611cf96abe91d91693e813cd5ee36cdae02 Mon Sep 17 00:00:00 2001
1 From: Sean McArthur <sean@seanmonstar.com>
2 Date: Mon, 25 Nov 2019 15:54:04 -0800
3 Subject: Fix capacity overflows in HeaderMap::reserve
4 The patch required minimal adaption from upstream because the surrounding
5 code had changed in upstream `master` branch over the 0.1.19 release.
6 .
7 Contrary to what one might assume with knowledge of `assert()` in C, the
8 rust `assert!()` macro never gets removed for optimization, and is always
9 checked resulting in a `panic!()` and thus a controlled shutdown of the
10 process as described in
11 https://doc.rust-lang.org/std/macro.assert.html#uses.
12 Origin: upstream, https://github.com/hyperium/http/commit/81ceb611cf96abe91d91693e813cd5ee36cdae02
13 Bug: https://github.com/hyperium/http/issues/352
14 Bug-Debian: https://bugs.debian.org/969896
15
16 --- a/src/header/map.rs
17 +++ b/src/header/map.rs
18 @@ -628,6 +628,9 @@
19
20 if cap > self.indices.len() {
21 let cap = cap.next_power_of_two();
22 + assert!(cap < MAX_SIZE, "header map reserve over max capacity");
23 + assert!(cap != 0, "header map reserve overflowed");
24 +
25
26 if self.entries.len() == 0 {
27 self.mask = cap - 1;
28 --- a/tests/header_map.rs
29 +++ b/tests/header_map.rs
30 @@ -38,6 +38,22 @@
31 }
32
33 #[test]
34 +#[should_panic]
35 +fn reserve_over_capacity() {
36 + // See https://github.com/hyperium/http/issues/352
37 + let mut headers = HeaderMap::<u32>::with_capacity(32);
38 + headers.reserve(50_000); // over MAX_SIZE
39 +}
40 +
41 +#[test]
42 +#[should_panic]
43 +fn reserve_overflow() {
44 + // See https://github.com/hyperium/http/issues/352
45 + let mut headers = HeaderMap::<u32>::with_capacity(0);
46 + headers.reserve(std::usize::MAX); // next_power_of_two overflows
47 +}
48 +
49 +#[test]
50 fn drain() {
51 let mut headers = HeaderMap::new();
52
+1
-0
src/http/debian/patches/series less more
0 fix-capacity-overflows-in-headermap-reserve.patch