From d45430431f8c75941f863328eb3f7fc09f902b2e Mon Sep 17 00:00:00 2001 From: Marsman1996 Date: Wed, 8 Feb 2023 22:10:01 +0800 Subject: [PATCH 1/3] Check the path length before coping into tableFile --- liblouis/compileTranslationTable.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c index 3c74929bcb..2da766e169 100644 --- a/liblouis/compileTranslationTable.c +++ b/liblouis/compileTranslationTable.c @@ -4539,7 +4539,9 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) { char *tableFile; static struct stat info; - if (table == NULL || table[0] == '\0') return NULL; + if (table == NULL || table[0] == '\0' || + strlen(table) >= MAXSTRING * sizeof(char) * 2) + return NULL; tableFile = (char *)malloc(MAXSTRING * sizeof(char) * 2); // @@ -4547,10 +4549,13 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) { // if (base) { int k; + if (strlen(base) >= MAXSTRING * sizeof(char) * 2) goto failure; strcpy(tableFile, base); k = (int)strlen(tableFile); while (k >= 0 && tableFile[k] != '/' && tableFile[k] != '\\') k--; tableFile[++k] = '\0'; + if (strlen(tableFile) + strlen(table) >= MAXSTRING * sizeof(char) * 2) + goto failure; strcat(tableFile, table); if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) { _lou_logMessage(LOU_LOG_DEBUG, "found table %s", tableFile); @@ -4582,6 +4587,10 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) { last = (*cp == '\0'); *cp = '\0'; if (dir == cp) dir = "."; + if (strlen(dir) + strlen(table) + 1 >= MAXSTRING * sizeof(char) * 2) { + free(searchPath_copy); + goto failure; + } sprintf(tableFile, "%s%c%s", dir, DIR_SEP, table); if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) { _lou_logMessage(LOU_LOG_DEBUG, "found table %s", tableFile); @@ -4589,6 +4598,10 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) { return tableFile; } if (last) break; + if (strlen(dir) + strlen(table) + 16 >= MAXSTRING * sizeof(char) * 2) { + free(searchPath_copy); + goto failure; + } sprintf(tableFile, "%s%c%s%c%s%c%s", dir, DIR_SEP, "liblouis", DIR_SEP, "tables", DIR_SEP, table); if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) { @@ -4600,6 +4613,7 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) { } free(searchPath_copy); } +failure: free(tableFile); return NULL; } From 6f39e88745e8ec602ccc46042c305a6188f28b0a Mon Sep 17 00:00:00 2001 From: Marsman1996 Date: Wed, 8 Feb 2023 22:40:52 +0800 Subject: [PATCH 2/3] fix format: 1. define MAX_TABLEFILE_SIZE 2. parse the magic number --- liblouis/compileTranslationTable.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c index 2da766e169..f334a38371 100644 --- a/liblouis/compileTranslationTable.c +++ b/liblouis/compileTranslationTable.c @@ -4539,23 +4539,21 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) { char *tableFile; static struct stat info; - if (table == NULL || table[0] == '\0' || - strlen(table) >= MAXSTRING * sizeof(char) * 2) - return NULL; - tableFile = (char *)malloc(MAXSTRING * sizeof(char) * 2); +#define MAX_TABLEFILE_SIZE MAXSTRING * sizeof(char) * 2 + if (table == NULL || table[0] == '\0') return NULL; + tableFile = (char *)malloc(MAX_TABLEFILE_SIZE); // // First try to resolve against base // if (base) { int k; - if (strlen(base) >= MAXSTRING * sizeof(char) * 2) goto failure; + if (strlen(base) >= MAX_TABLEFILE_SIZE) goto failure; strcpy(tableFile, base); k = (int)strlen(tableFile); while (k >= 0 && tableFile[k] != '/' && tableFile[k] != '\\') k--; tableFile[++k] = '\0'; - if (strlen(tableFile) + strlen(table) >= MAXSTRING * sizeof(char) * 2) - goto failure; + if (strlen(tableFile) + strlen(table) >= MAX_TABLEFILE_SIZE) goto failure; strcat(tableFile, table); if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) { _lou_logMessage(LOU_LOG_DEBUG, "found table %s", tableFile); @@ -4567,6 +4565,7 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) { // It could be an absolute path, or a path relative to the current working // directory // + if (strlen(table) >= MAX_TABLEFILE_SIZE) goto failure; strcpy(tableFile, table); if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) { _lou_logMessage(LOU_LOG_DEBUG, "found table %s", tableFile); @@ -4587,7 +4586,7 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) { last = (*cp == '\0'); *cp = '\0'; if (dir == cp) dir = "."; - if (strlen(dir) + strlen(table) + 1 >= MAXSTRING * sizeof(char) * 2) { + if (strlen(dir) + strlen(table) + 1 >= MAX_TABLEFILE_SIZE) { free(searchPath_copy); goto failure; } @@ -4598,7 +4597,8 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) { return tableFile; } if (last) break; - if (strlen(dir) + strlen(table) + 16 >= MAXSTRING * sizeof(char) * 2) { + if (strlen(dir) + strlen("liblouis") + strlen("tables") + strlen(table) + 3 >= + MAX_TABLEFILE_SIZE) { free(searchPath_copy); goto failure; } From 9f6cec9b63c1d9396fcc32fed77267a2815b648f Mon Sep 17 00:00:00 2001 From: Marsman1996 Date: Wed, 8 Feb 2023 23:01:56 +0800 Subject: [PATCH 3/3] add parentheses for define expression --- liblouis/compileTranslationTable.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c index f334a38371..3575792796 100644 --- a/liblouis/compileTranslationTable.c +++ b/liblouis/compileTranslationTable.c @@ -4539,7 +4539,7 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) { char *tableFile; static struct stat info; -#define MAX_TABLEFILE_SIZE MAXSTRING * sizeof(char) * 2 +#define MAX_TABLEFILE_SIZE (MAXSTRING * sizeof(char) * 2) if (table == NULL || table[0] == '\0') return NULL; tableFile = (char *)malloc(MAX_TABLEFILE_SIZE);