graphviz/graphviz-2.34.0-CVE-2014-1236.patch
Jaroslav Škarvada 8a174ca0bb Prevent possible buffer overflow in yyerror()
Resolves: CVE-2014-1235
- Fix possible buffer overflow problem in chkNum of scanner
  Resolves: CVE-2014-1236
2014-01-10 10:28:08 +01:00

59 lines
1.6 KiB
Diff

From 1d1bdec6318746f6f19f245db589eddc887ae8ff Mon Sep 17 00:00:00 2001
From: "Emden R. Gansner" <erg@alum.mit.edu>
Date: Wed, 8 Jan 2014 11:31:04 -0500
Subject: [PATCH] Fix possible buffer overflow problem in chkNum of scanner.
---
lib/cgraph/scan.l | 35 ++++++++++++++++++++++++++---------
1 file changed, 26 insertions(+), 9 deletions(-)
diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
index 212967c..d065b61 100644
--- a/lib/cgraph/scan.l
+++ b/lib/cgraph/scan.l
@@ -129,15 +129,32 @@ static void ppDirective (void)
* and report this to the user.
*/
static int chkNum(void) {
- unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */
- if (!isdigit(c) && (c != '.')) { /* c is letter */
- char buf[BUFSIZ];
- sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile);
- strcat (buf, "splits into two name tokens\n");
- agerr(AGWARN,buf);
- return 1;
- }
- else return 0;
+ unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */
+ if (!isdigit(c) && (c != '.')) { /* c is letter */
+ unsigned char xbuf[BUFSIZ];
+ char buf[BUFSIZ];
+ agxbuf xb;
+ char* fname;
+
+ if (InputFile)
+ fname = InputFile;
+ else
+ fname = "input";
+
+ agxbinit(&xb, BUFSIZ, xbuf);
+
+ agxbput(&xb,"syntax ambiguity - badly delimited number '");
+ agxbput(&xb,yytext);
+ sprintf(buf,"' in line %d of ", line_num);
+ agxbput(&xb,buf);
+ agxbput(&xb,fname);
+ agxbput(&xb, " splits into two tokens\n");
+ agerr(AGWARN,agxbuse(&xb));
+
+ agxbfree(&xb);
+ return 1;
+ }
+ else return 0;
}
/* The LETTER class below consists of ascii letters, underscore, all non-ascii
--
1.8.5.1