Fixed buffer overflow in lib/common/shapes.c
Resolves: CVE-2020-18032 Resolves: rhbz#1967691 Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
This commit is contained in:
parent
1006bbd953
commit
0ccfd1cd28
40
graphviz-2.44.0-CVE-2020-18032.patch
Normal file
40
graphviz-2.44.0-CVE-2020-18032.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From 784411ca3655c80da0f6025ab20634b2a6ff696b Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Fernandez <matthew.fernandez@gmail.com>
|
||||
Date: Sat, 25 Jul 2020 19:31:01 -0700
|
||||
Subject: [PATCH] fix: out-of-bounds write on invalid label
|
||||
|
||||
When the label for a node cannot be parsed (due to it being malformed), it falls
|
||||
back on the symbol name of the node itself. I.e. the default label the node
|
||||
would have had if it had no label attribute at all. However, this is applied by
|
||||
dynamically altering the node's label to "\N", a shortcut for the symbol name of
|
||||
the node. All of this is fine, however if the hand written label itself is
|
||||
shorter than the literal string "\N", not enough memory would have been
|
||||
allocated to write "\N" into the label text.
|
||||
|
||||
Here we account for the possibility of error during label parsing, and assume
|
||||
that the label text may need to be overwritten with "\N" after the fact. Fixes
|
||||
issue #1700.
|
||||
---
|
||||
lib/common/shapes.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/common/shapes.c b/lib/common/shapes.c
|
||||
index 0a0635fc3..9dca9ba6e 100644
|
||||
--- a/lib/common/shapes.c
|
||||
+++ b/lib/common/shapes.c
|
||||
@@ -3546,9 +3546,10 @@ static void record_init(node_t * n)
|
||||
reclblp = ND_label(n)->text;
|
||||
len = strlen(reclblp);
|
||||
/* For some forgotten reason, an empty label is parsed into a space, so
|
||||
- * we need at least two bytes in textbuf.
|
||||
+ * we need at least two bytes in textbuf, as well as accounting for the
|
||||
+ * error path involving "\\N" below.
|
||||
*/
|
||||
- len = MAX(len, 1);
|
||||
+ len = MAX(MAX(len, 1), (int)strlen("\\N"));
|
||||
textbuf = N_NEW(len + 1, char);
|
||||
if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) {
|
||||
agerr(AGERR, "bad label format %s\n", ND_label(n)->text);
|
||||
--
|
||||
GitLab
|
||||
|
@ -68,7 +68,7 @@
|
||||
Name: graphviz
|
||||
Summary: Graph Visualization Tools
|
||||
Version: 2.44.0
|
||||
Release: 22%{?dist}
|
||||
Release: 23%{?dist}
|
||||
License: EPL-1.0
|
||||
URL: http://www.graphviz.org/
|
||||
Source0: https://gitlab.com/%{name}/%{name}/-/archive/%{version}/%{name}-%{version}.tar.bz2
|
||||
@ -77,6 +77,7 @@ Patch0: graphviz-2.42.2-dotty-menu-fix.patch
|
||||
Patch1: graphviz-2.42.2-coverity-scan-fixes.patch
|
||||
# rhbz#1612692, https://gitlab.com/graphviz/graphviz/-/merge_requests/1367
|
||||
Patch2: graphviz-2.44.0-man-fix.patch
|
||||
Patch3: graphviz-2.44.0-CVE-2020-18032.patch
|
||||
BuildRequires: gcc-g++
|
||||
BuildRequires: zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2
|
||||
BuildRequires: ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig, sed
|
||||
@ -298,6 +299,7 @@ Various tcl packages (extensions) for the graphviz tools.
|
||||
%patch0 -p1 -b .dotty-menu-fix
|
||||
%patch1 -p1 -b .coverity-scan-fixes
|
||||
%patch2 -p1 -b .man-fix
|
||||
%patch3 -p1 -b .CVE-2020-18032
|
||||
|
||||
# Attempt to fix rpmlint warnings about executable sources
|
||||
find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';'
|
||||
@ -602,6 +604,10 @@ php --no-php-ini \
|
||||
%{_mandir}/man3/*.3tcl*
|
||||
|
||||
%changelog
|
||||
* Thu Jun 3 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 2.44.0-23
|
||||
- Fixed buffer overflow in lib/common/shapes.c
|
||||
Resolves: CVE-2020-18032
|
||||
|
||||
* Mon May 24 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 2.44.0-22
|
||||
- Release bump to workaround OSCI problems
|
||||
Related: rhbz#1955686
|
||||
|
Loading…
Reference in New Issue
Block a user