rpms/less
5
0
Fork 0
Code Issues Pull Requests Releases Activity

out of bounds read access in is_utf8_well_formed()

Browse Source 
Resolves: #1201310
CVE-2014-9488

This is an update of previous patch.

The function is_utf8_well_formed was defined in charset.c with single parameter. I was surprised, that it is even compiling.

This new patch is updating own implementation of function is_utf8_well_formed and fixing also its other use. The code is taken from Mark Nudelman's unreleased version of less.
This commit is contained in:
Jozef Mlich 2015-06-01 09:13:01 +02:00
parent a879a7d3f4
commit 48f39f63a0
2 changed files with 53 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
less-471-out_of_bounds_read.patch
View File

@ -1,6 +1,51 @@
--- less-474/line.c 2015-01-31 00:20:29.000000000 +0100 diff -up ./less-471/charset.c.utf8 ./less-471/charset.c
+++ less-475/line.c 2015-03-05 20:07:08.000000000 +0100 --- ./less-471/charset.c.utf8 2014-12-14 19:19:11.000000000 +0100
@@ -807,7 +807,7 @@ +++ ./less-471/charset.c 2015-06-01 08:59:38.140122262 +0200
@@ -506,8 +506,9 @@ utf_len(ch)
* Does the parameter point to the lead byte of a well-formed UTF-8 character?
*/
public int
-is_utf8_well_formed(s)
+is_utf8_well_formed(s, slen)
unsigned char *s;
+ int slen;
{
int i;
int len;
@@ -516,6 +517,8 @@ is_utf8_well_formed(s)
return (0);
len = utf_len((char) s[0]);
+ if (len > slen)
+ return (0);
if (len == 1)
return (1);
if (len == 2)
@@ -547,7 +550,7 @@ utf_bin_count(data, len)
int bin_count = 0;
while (len > 0)
{
- if (is_utf8_well_formed(data))
+ if (is_utf8_well_formed(data, len))
{
int clen = utf_len(*data);
data += clen;
diff -up ./less-471/cmdbuf.c.utf8 ./less-471/cmdbuf.c
--- ./less-471/cmdbuf.c.utf8 2014-12-14 19:19:11.000000000 +0100
+++ ./less-471/cmdbuf.c 2015-06-01 09:00:43.247776312 +0200
@@ -1264,7 +1264,7 @@ cmd_char(c)
cmd_mbc_buf[cmd_mbc_buf_index++] = c;
if (cmd_mbc_buf_index < cmd_mbc_buf_len)
return (CC_OK);
- if (!is_utf8_well_formed(cmd_mbc_buf))
+ if (!is_utf8_well_formed(cmd_mbc_buf, cmd_mbc_buf_index))
{
/* complete, but not well formed (non-shortest form), sequence */
cmd_mbc_buf_len = 0;
diff -up ./less-471/line.c.utf8 ./less-471/line.c
--- ./less-471/line.c.utf8 2015-06-01 08:57:28.000000000 +0200
+++ ./less-471/line.c 2015-06-01 09:00:01.061352521 +0200
@@ -807,7 +807,7 @@ pappend(c, pos)
mbc_buf[mbc_buf_index++] = c; mbc_buf[mbc_buf_index++] = c;
if (mbc_buf_index < mbc_buf_len) if (mbc_buf_index < mbc_buf_len)
return (0); return (0);

7
less.spec
View File

@ -1,7 +1,7 @@
Summary: A text file browser similar to more, but better Summary: A text file browser similar to more, but better
Name: less Name: less
Version: 471 Version: 471
Release: 3%{?dist} Release: 4%{?dist}
License: GPLv3+ License: GPLv3+
Group: Applications/Text Group: Applications/Text
Source: http://www.greenwoodsoftware.com/less/%{name}-%{version}.tar.gz Source: http://www.greenwoodsoftware.com/less/%{name}-%{version}.tar.gz
@ -46,7 +46,7 @@ files, and you'll use it frequently.
%patch9 -p1 -b .less-filters-man %patch9 -p1 -b .less-filters-man
%patch10 -p1 -b .lesskey-usage %patch10 -p1 -b .lesskey-usage
%patch11 -p1 -b .old-bot %patch11 -p1 -b .old-bot
%patch12 -p1 -b .out_of_bounds_read.patch %patch12 -p2 -b .out_of_bounds_read.patch
autoreconf autoreconf
chmod -R a+w * chmod -R a+w *
@ -77,6 +77,9 @@ ls -la $RPM_BUILD_ROOT/etc/profile.d
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
%changelog %changelog
* Mon Jun 01 2015 Jozef Mlich <jmlich@redhat.com> - 471-4
- update of previous patch
* Mon Jun 01 2015 Jozef Mlich <jmlich@redhat.com> - 471-3 * Mon Jun 01 2015 Jozef Mlich <jmlich@redhat.com> - 471-3
- out of bounds read access in is_utf8_well_formed() - out of bounds read access in is_utf8_well_formed()
Resolves: #1201310 Resolves: #1201310