out of bounds read access in is_utf8_well_formed()
Resolves: #1201310 CVE-2014-9488 This is an update of previous patch. The function is_utf8_well_formed was defined in charset.c with single parameter. I was surprised, that it is even compiling. This new patch is updating own implementation of function is_utf8_well_formed and fixing also its other use. The code is taken from Mark Nudelman's unreleased version of less.
This commit is contained in:
parent
a879a7d3f4
commit
48f39f63a0
@ -1,6 +1,51 @@
|
||||
--- less-474/line.c 2015-01-31 00:20:29.000000000 +0100
|
||||
+++ less-475/line.c 2015-03-05 20:07:08.000000000 +0100
|
||||
@@ -807,7 +807,7 @@
|
||||
diff -up ./less-471/charset.c.utf8 ./less-471/charset.c
|
||||
--- ./less-471/charset.c.utf8 2014-12-14 19:19:11.000000000 +0100
|
||||
+++ ./less-471/charset.c 2015-06-01 08:59:38.140122262 +0200
|
||||
@@ -506,8 +506,9 @@ utf_len(ch)
|
||||
* Does the parameter point to the lead byte of a well-formed UTF-8 character?
|
||||
*/
|
||||
public int
|
||||
-is_utf8_well_formed(s)
|
||||
+is_utf8_well_formed(s, slen)
|
||||
unsigned char *s;
|
||||
+ int slen;
|
||||
{
|
||||
int i;
|
||||
int len;
|
||||
@@ -516,6 +517,8 @@ is_utf8_well_formed(s)
|
||||
return (0);
|
||||
|
||||
len = utf_len((char) s[0]);
|
||||
+ if (len > slen)
|
||||
+ return (0);
|
||||
if (len == 1)
|
||||
return (1);
|
||||
if (len == 2)
|
||||
@@ -547,7 +550,7 @@ utf_bin_count(data, len)
|
||||
int bin_count = 0;
|
||||
while (len > 0)
|
||||
{
|
||||
- if (is_utf8_well_formed(data))
|
||||
+ if (is_utf8_well_formed(data, len))
|
||||
{
|
||||
int clen = utf_len(*data);
|
||||
data += clen;
|
||||
diff -up ./less-471/cmdbuf.c.utf8 ./less-471/cmdbuf.c
|
||||
--- ./less-471/cmdbuf.c.utf8 2014-12-14 19:19:11.000000000 +0100
|
||||
+++ ./less-471/cmdbuf.c 2015-06-01 09:00:43.247776312 +0200
|
||||
@@ -1264,7 +1264,7 @@ cmd_char(c)
|
||||
cmd_mbc_buf[cmd_mbc_buf_index++] = c;
|
||||
if (cmd_mbc_buf_index < cmd_mbc_buf_len)
|
||||
return (CC_OK);
|
||||
- if (!is_utf8_well_formed(cmd_mbc_buf))
|
||||
+ if (!is_utf8_well_formed(cmd_mbc_buf, cmd_mbc_buf_index))
|
||||
{
|
||||
/* complete, but not well formed (non-shortest form), sequence */
|
||||
cmd_mbc_buf_len = 0;
|
||||
diff -up ./less-471/line.c.utf8 ./less-471/line.c
|
||||
--- ./less-471/line.c.utf8 2015-06-01 08:57:28.000000000 +0200
|
||||
+++ ./less-471/line.c 2015-06-01 09:00:01.061352521 +0200
|
||||
@@ -807,7 +807,7 @@ pappend(c, pos)
|
||||
mbc_buf[mbc_buf_index++] = c;
|
||||
if (mbc_buf_index < mbc_buf_len)
|
||||
return (0);
|
||||
|
@ -1,7 +1,7 @@
|
||||
Summary: A text file browser similar to more, but better
|
||||
Name: less
|
||||
Version: 471
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPLv3+
|
||||
Group: Applications/Text
|
||||
Source: http://www.greenwoodsoftware.com/less/%{name}-%{version}.tar.gz
|
||||
@ -46,7 +46,7 @@ files, and you'll use it frequently.
|
||||
%patch9 -p1 -b .less-filters-man
|
||||
%patch10 -p1 -b .lesskey-usage
|
||||
%patch11 -p1 -b .old-bot
|
||||
%patch12 -p1 -b .out_of_bounds_read.patch
|
||||
%patch12 -p2 -b .out_of_bounds_read.patch
|
||||
autoreconf
|
||||
|
||||
chmod -R a+w *
|
||||
@ -77,6 +77,9 @@ ls -la $RPM_BUILD_ROOT/etc/profile.d
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%changelog
|
||||
* Mon Jun 01 2015 Jozef Mlich <jmlich@redhat.com> - 471-4
|
||||
- update of previous patch
|
||||
|
||||
* Mon Jun 01 2015 Jozef Mlich <jmlich@redhat.com> - 471-3
|
||||
- out of bounds read access in is_utf8_well_formed()
|
||||
Resolves: #1201310
|
||||
|
Loading…
Reference in New Issue
Block a user