Add patch from upstream to fix CVE-2016-10091 (buffer overflow in various cmd_ functions)
closes: 849705
Willi Mann
7 years ago
| 0 | From: Jean-Francois Dockes <jf@dockes.org> | |
| 1 | Date: Sat, 31 Dec 2016 20:25:19 +0100 | |
| 2 | Subject: Replace all instances of sprintf with snprintf and adjust size of | |
| 3 | integer field in some cases | |
| 4 | ||
| 5 | This fixes CVE-2016-10091 | |
| 6 | ||
| 7 | Bug-Debian: https://bugs.debian.org/849705 | |
| 8 | --- | |
| 9 | src/attr.c | 4 ++-- | |
| 10 | src/convert.c | 28 ++++++++++++++-------------- | |
| 11 | src/output.c | 4 ++-- | |
| 12 | 3 files changed, 18 insertions(+), 18 deletions(-) | |
| 13 | ||
| 14 | diff --git a/src/attr.c b/src/attr.c | |
| 15 | index 0337fd0..aea2a69 100644 | |
| 16 | --- a/src/attr.c | |
| 17 | +++ b/src/attr.c | |
| 18 | @@ -743,7 +743,7 @@ char * | |
| 19 | assemble_string(char *string, int nr) | |
| 20 | { | |
| 21 | ||
| 22 | - char *s, tmp[12];/* Number of characters that can be in int type (including '\0') - AF */ | |
| 23 | + char *s, tmp[20]; | |
| 24 | int i = 0, j = 0; | |
| 25 | ||
| 26 | if (string == NULL) | |
| 27 | @@ -759,7 +759,7 @@ assemble_string(char *string, int nr) | |
| 28 | } | |
| 29 | ||
| 30 | if (string[i] != '\0') { | |
| 31 | - sprintf(tmp, "%d", nr); | |
| 32 | + snprintf(tmp, 20, "%d", nr); | |
| 33 | strcpy(&s[j], tmp); | |
| 34 | j = j + strlen(tmp); | |
| 35 | } | |
| 36 | diff --git a/src/convert.c b/src/convert.c | |
| 37 | index d22a2f9..62355be 100644 | |
| 38 | --- a/src/convert.c | |
| 39 | +++ b/src/convert.c | |
| 40 | @@ -448,7 +448,7 @@ static const int fcharsetparmtocp(int parm) | |
| 41 | } | |
| 42 | ||
| 43 | // Translate code page to encoding name hopefully suitable as iconv input | |
| 44 | -static char *cptoencoding(parm) | |
| 45 | +static char *cptoencoding(int parm) | |
| 46 | { | |
| 47 | // Note that CP0 is supposed to mean current system default, which does | |
| 48 | // not make any sense as a stored value, we don't handle it. | |
| 49 | @@ -935,7 +935,7 @@ cmd_cf (Word *w, int align, char has_param, int num) { | |
| 50 | } | |
| 51 | else | |
| 52 | { | |
| 53 | - sprintf(str,"#%02x%02x%02x", | |
| 54 | + snprintf(str, 40, "#%02x%02x%02x", | |
| 55 | color_table[num].r, | |
| 56 | color_table[num].g, | |
| 57 | color_table[num].b); | |
| 58 | @@ -962,7 +962,7 @@ cmd_cb (Word *w, int align, char has_param, int num) { | |
| 59 | } | |
| 60 | else | |
| 61 | { | |
| 62 | - sprintf(str,"#%02x%02x%02x", | |
| 63 | + snprintf(str, 40, "#%02x%02x%02x", | |
| 64 | color_table[num].r, | |
| 65 | color_table[num].g, | |
| 66 | color_table[num].b); | |
| 67 | @@ -987,7 +987,7 @@ cmd_fs (Word *w, int align, char has_param, int points) { | |
| 68 | /* Note, fs20 means 10pt */ | |
| 69 | points /= 2; | |
| 70 | ||
| 71 | - sprintf(str,"%d",points); | |
| 72 | + snprintf(str, 20, "%d", points); | |
| 73 | attr_push(ATTR_FONTSIZE,str); | |
| 74 | ||
| 75 | return FALSE; | |
| 76 | @@ -1118,7 +1118,7 @@ cmd_f (Word *w, int align, char has_param, int num) | |
| 77 | { | |
| 78 | // TOBEDONE: WHAT'S THIS ??? | |
| 79 | name = my_malloc(12); | |
| 80 | - sprintf(name, "%d", num); | |
| 81 | + snprintf(name, 12, "%d", num); | |
| 82 | } | |
| 83 | ||
| 84 | /* we are going to output entities, so should not output font */ | |
| 85 | @@ -1169,7 +1169,7 @@ cmd_highlight (Word *w, int align, char has_param, int num) | |
| 86 | } | |
| 87 | else | |
| 88 | { | |
| 89 | - sprintf(str,"#%02x%02x%02x", | |
| 90 | + snprintf(str, 40, "#%02x%02x%02x", | |
| 91 | color_table[num].r, | |
| 92 | color_table[num].g, | |
| 93 | color_table[num].b); | |
| 94 | @@ -1324,9 +1324,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) { | |
| 95 | ||
| 96 | static int | |
| 97 | cmd_expand (Word *w, int align, char has_param, int param) { | |
| 98 | - char str[10]; | |
| 99 | + char str[20]; | |
| 100 | if (has_param) { | |
| 101 | - sprintf(str, "%d", param/4); | |
| 102 | + snprintf(str, 20, "%d", param / 4); | |
| 103 | if (!param) | |
| 104 | attr_pop(ATTR_EXPAND); | |
| 105 | else | |
| 106 | @@ -1345,7 +1345,7 @@ cmd_expand (Word *w, int align, char has_param, int param) { | |
| 107 | ||
| 108 | static int | |
| 109 | cmd_emboss (Word *w, int align, char has_param, int param) { | |
| 110 | - char str[10]; | |
| 111 | + char str[20]; | |
| 112 | if (has_param && !param) | |
| 113 | #ifdef SUPPORT_UNNESTED | |
| 114 | attr_find_pop(ATTR_EMBOSS); | |
| 115 | @@ -1354,7 +1354,7 @@ cmd_emboss (Word *w, int align, char has_param, int param) { | |
| 116 | #endif | |
| 117 | else | |
| 118 | { | |
| 119 | - sprintf(str, "%d", param); | |
| 120 | + snprintf(str, 20, "%d", param); | |
| 121 | attr_push(ATTR_EMBOSS, str); | |
| 122 | } | |
| 123 | return FALSE; | |
| 124 | @@ -1370,12 +1370,12 @@ cmd_emboss (Word *w, int align, char has_param, int param) { | |
| 125 | ||
| 126 | static int | |
| 127 | cmd_engrave (Word *w, int align, char has_param, int param) { | |
| 128 | - char str[10]; | |
| 129 | + char str[20]; | |
| 130 | if (has_param && !param) | |
| 131 | attr_pop(ATTR_ENGRAVE); | |
| 132 | else | |
| 133 | { | |
| 134 | - sprintf(str, "%d", param); | |
| 135 | + snprintf(str, 20, "%d", param); | |
| 136 | attr_push(ATTR_ENGRAVE, str); | |
| 137 | } | |
| 138 | return FALSE; | |
| 139 | @@ -1919,7 +1919,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) { | |
| 140 | ||
| 141 | short done=0; | |
| 142 | long unicode_number = (long) param; /* On 16bit architectures int is too small to store unicode characters. - AF */ | |
| 143 | - char tmp[12]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */ | |
| 144 | + char tmp[20]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */ | |
| 145 | char *alias; | |
| 146 | #define DEBUG 0 | |
| 147 | #if DEBUG | |
| 148 | @@ -1949,7 +1949,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) { | |
| 149 | /* RTF spec: Unicode values beyond 32767 are represented by negative numbers */ | |
| 150 | unicode_number += 65536; | |
| 151 | } | |
| 152 | - sprintf(tmp, "%ld", unicode_number); | |
| 153 | + snprintf(tmp, 20, "%ld", unicode_number); | |
| 154 | ||
| 155 | if (safe_printf(1, op->unisymbol_print, tmp)) fprintf(stderr, TOO_MANY_ARGS, "unisymbol_print"); | |
| 156 | done++; | |
| 157 | diff --git a/src/output.c b/src/output.c | |
| 158 | index 2584e06..4342bfe 100644 | |
| 159 | --- a/src/output.c | |
| 160 | +++ b/src/output.c | |
| 161 | @@ -320,7 +320,7 @@ op_begin_std_fontsize (OutputPersonality *op, int size) | |
| 162 | if (!found_std_expr) { | |
| 163 | if (op->fontsize_begin) { | |
| 164 | char expr[16]; | |
| 165 | - sprintf (expr, "%d", size); | |
| 166 | + snprintf(expr, 16, "%d", size); | |
| 167 | if (safe_printf (1, op->fontsize_begin, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_begin"); | |
| 168 | } else { | |
| 169 | /* If we cannot write out a change for the exact | |
| 170 | @@ -449,7 +449,7 @@ op_end_std_fontsize (OutputPersonality *op, int size) | |
| 171 | if (!found_std_expr) { | |
| 172 | if (op->fontsize_end) { | |
| 173 | char expr[16]; | |
| 174 | - sprintf (expr, "%d", size); | |
| 175 | + snprintf(expr, 16, "%d", size); | |
| 176 | if (safe_printf(1, op->fontsize_end, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_end"); | |
| 177 | } else { | |
| 178 | /* If we cannot write out a change for the exact |