Codebase list unrtf / 99bd41b
convert.c: fix buffer overflow Willi Mann 7 years ago
3 changed file(s) with 64 addition(s) and 22 deletion(s). Raw diff Collapse all Expand all
+0
-21
debian/patches/0001-cmd_expand-Make-buffer-bigger.patch less more
0 From: Willi Mann <willi@debian.org>
1 Date: Sat, 31 Dec 2016 14:43:10 +0100
2 Subject: cmd_expand: Make buffer bigger
3
4 ---
5 src/convert.c | 2 +-
6 1 file changed, 1 insertion(+), 1 deletion(-)
7
8 diff --git a/src/convert.c b/src/convert.c
9 index c76d7d6..376be5f 100644
10 --- a/src/convert.c
11 +++ b/src/convert.c
12 @@ -1373,7 +1373,7 @@ cmd_ftech (Word *w, int align, char has_param, int param) {
13
14 static int
15 cmd_expand (Word *w, int align, char has_param, int param) {
16 - char str[10];
17 + char str[15];
18 if (has_param) {
19 sprintf(str, "%d", param/4);
20 if (!param)
+63
-0
debian/patches/0001-convert.c-Use-safe-buffer-size-and-snprintf.patch less more
0 From: Willi Mann <willi@debian.org>
1 Date: Sat, 31 Dec 2016 14:43:10 +0100
2 Subject: convert.c: Use safe buffer size and snprintf
3
4 cmd_expand, cmd_emboss, and cmd_engrave print an integer to a stack buffer.
5 Unfortunately, the previous buffer size of 10 is to small (e.g., to store -1 *
6 10^9), such that a buffer overflow could be provoked. This patch increases the
7 buffer size to 12 and switches to snprintf.
8
9 Bug-Debian: https://bugs.debian.org/849705
10 ---
11 src/convert.c | 12 ++++++------
12 1 file changed, 6 insertions(+), 6 deletions(-)
13
14 diff --git a/src/convert.c b/src/convert.c
15 index c76d7d6..5294743 100644
16 --- a/src/convert.c
17 +++ b/src/convert.c
18 @@ -1373,9 +1373,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) {
19
20 static int
21 cmd_expand (Word *w, int align, char has_param, int param) {
22 - char str[10];
23 + char str[12];
24 if (has_param) {
25 - sprintf(str, "%d", param/4);
26 + snprintf(str, 12, "%d", param/4);
27 if (!param)
28 attr_pop(ATTR_EXPAND);
29 else
30 @@ -1394,7 +1394,7 @@ cmd_expand (Word *w, int align, char has_param, int param) {
31
32 static int
33 cmd_emboss (Word *w, int align, char has_param, int param) {
34 - char str[10];
35 + char str[12];
36 if (has_param && !param)
37 #ifdef SUPPORT_UNNESTED
38 attr_find_pop(ATTR_EMBOSS);
39 @@ -1403,7 +1403,7 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
40 #endif
41 else
42 {
43 - sprintf(str, "%d", param);
44 + snprintf(str, 12, "%d", param);
45 attr_push(ATTR_EMBOSS, str);
46 }
47 return FALSE;
48 @@ -1419,12 +1419,12 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
49
50 static int
51 cmd_engrave (Word *w, int align, char has_param, int param) {
52 - char str[10];
53 + char str[12];
54 if (has_param && !param)
55 attr_pop(ATTR_ENGRAVE);
56 else
57 {
58 - sprintf(str, "%d", param);
59 + snprintf(str, 12, "%d", param);
60 attr_push(ATTR_ENGRAVE, str);
61 }
62 return FALSE;
+1
-1
debian/patches/series less more
0 0001-cmd_expand-Make-buffer-bigger.patch
0 0001-convert.c-Use-safe-buffer-size-and-snprintf.patch