52 lines
1.9 KiB
Diff
52 lines
1.9 KiB
Diff
From 7e135b9313ad06218dfcf9ed63070edede7745a1 Mon Sep 17 00:00:00 2001
|
|
From: Christian Egli <christian.egli@sbs.ch>
|
|
Date: Thu, 31 May 2018 12:08:56 +0200
|
|
Subject: [PATCH] Fix yet another buffer overflow in the braille table parser
|
|
|
|
Reported by Edward-L
|
|
|
|
Fixes #582
|
|
diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
|
|
index 777e1da..b6bd010 100644
|
|
--- a/liblouis/compileTranslationTable.c
|
|
+++ b/liblouis/compileTranslationTable.c
|
|
@@ -2855,6 +2855,10 @@ compilePassOpcode (FileInfo * nested, TranslationTableOpcode opcode)
|
|
passLinepos = 0;
|
|
while (passLinepos <= endTest)
|
|
{
|
|
+ if (passIC >= MAXSTRING) {
|
|
+ compileError(passNested, "Test part in multipass operand too long");
|
|
+ return 0;
|
|
+ }
|
|
switch ((passSubOp = passLine.chars[passLinepos]))
|
|
{
|
|
case pass_lookback:
|
|
@@ -3050,6 +3054,10 @@ compilePassOpcode (FileInfo * nested, TranslationTableOpcode opcode)
|
|
while (passLinepos < passLine.length &&
|
|
passLine.chars[passLinepos] > 32)
|
|
{
|
|
+ if (passIC >= MAXSTRING) {
|
|
+ compileError(passNested, "Action part in multipass operand too long");
|
|
+ return 0;
|
|
+ }
|
|
switch ((passSubOp = passLine.chars[passLinepos]))
|
|
{
|
|
case pass_string:
|
|
@@ -3077,8 +3085,15 @@ compilePassOpcode (FileInfo * nested, TranslationTableOpcode opcode)
|
|
if (passHoldString.length == 0)
|
|
return 0;
|
|
passInstructions[passIC++] = passHoldString.length;
|
|
- for (kk = 0; kk < passHoldString.length; kk++)
|
|
+ for (kk = 0; kk < passHoldString.length; kk++)
|
|
+ {
|
|
+ if (passIC >= MAXSTRING)
|
|
+ {
|
|
+ compileError(passNested, "@ operand in action part of multipass operand too long");
|
|
+ return 0;
|
|
+ }
|
|
passInstructions[passIC++] = passHoldString.chars[kk];
|
|
+ }
|
|
break;
|
|
case pass_variable:
|
|
passLinepos++;
|