78 lines
3.1 KiB
Diff
78 lines
3.1 KiB
Diff
diff -up ncurses-6.2-20210508/ncurses/tinfo/alloc_entry.c.cve-2022-29458 ncurses-6.2-20210508/ncurses/tinfo/alloc_entry.c
|
|
--- ncurses-6.2-20210508/ncurses/tinfo/alloc_entry.c.cve-2022-29458 2021-05-05 01:15:34.000000000 +0200
|
|
+++ ncurses-6.2-20210508/ncurses/tinfo/alloc_entry.c 2025-06-25 16:26:30.667252829 +0200
|
|
@@ -53,8 +53,6 @@ MODULE_ID("$Id: alloc_entry.c,v 1.65 202
|
|
#define ABSENT_OFFSET -1
|
|
#define CANCELLED_OFFSET -2
|
|
|
|
-#define MAX_STRTAB 4096 /* documented maximum entry size */
|
|
-
|
|
static char *stringbuf; /* buffer for string capabilities */
|
|
static size_t next_free; /* next free character in stringbuf */
|
|
|
|
@@ -72,7 +70,7 @@ _nc_init_entry(ENTRY * const tp)
|
|
#endif
|
|
|
|
if (stringbuf == 0)
|
|
- TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf);
|
|
+ TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf);
|
|
|
|
next_free = 0;
|
|
|
|
@@ -108,11 +106,11 @@ _nc_save_str(const char *const string)
|
|
* Cheat a little by making an empty string point to the end of the
|
|
* previous string.
|
|
*/
|
|
- if (next_free < MAX_STRTAB) {
|
|
+ if (next_free < MAX_ENTRY_SIZE) {
|
|
result = (stringbuf + next_free - 1);
|
|
}
|
|
- } else if (next_free + len < MAX_STRTAB) {
|
|
- _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB);
|
|
+ } else if (next_free + len < MAX_ENTRY_SIZE) {
|
|
+ _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE);
|
|
DEBUG(7, ("Saved string %s", _nc_visbuf(string)));
|
|
DEBUG(7, ("at location %d", (int) next_free));
|
|
next_free += len;
|
|
diff -up ncurses-6.2-20210508/ncurses/tinfo/read_entry.c.cve-2022-29458 ncurses-6.2-20210508/ncurses/tinfo/read_entry.c
|
|
--- ncurses-6.2-20210508/ncurses/tinfo/read_entry.c.cve-2022-29458 2025-06-25 16:19:46.663763114 +0200
|
|
+++ ncurses-6.2-20210508/ncurses/tinfo/read_entry.c 2025-06-25 16:19:46.668872395 +0200
|
|
@@ -1,5 +1,5 @@
|
|
/****************************************************************************
|
|
- * Copyright 2018-2020,2021 Thomas E. Dickey *
|
|
+ * Copyright 2018-2021,2022 Thomas E. Dickey *
|
|
* Copyright 1998-2016,2017 Free Software Foundation, Inc. *
|
|
* *
|
|
* Permission is hereby granted, free of charge, to any person obtaining a *
|
|
@@ -145,6 +145,7 @@ convert_strings(char *buf, char **String
|
|
{
|
|
int i;
|
|
char *p;
|
|
+ bool corrupt = FALSE;
|
|
|
|
for (i = 0; i < count; i++) {
|
|
if (IS_NEG1(buf + 2 * i)) {
|
|
@@ -154,8 +155,20 @@ convert_strings(char *buf, char **String
|
|
} else if (MyNumber(buf + 2 * i) > size) {
|
|
Strings[i] = ABSENT_STRING;
|
|
} else {
|
|
- Strings[i] = (MyNumber(buf + 2 * i) + table);
|
|
- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));
|
|
+ int nn = MyNumber(buf + 2 * i);
|
|
+ if (nn >= 0 && nn < size) {
|
|
+ Strings[i] = (nn + table);
|
|
+ TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
|
|
+ _nc_visbuf(Strings[i])));
|
|
+ } else {
|
|
+ if (!corrupt) {
|
|
+ corrupt = TRUE;
|
|
+ TR(TRACE_DATABASE,
|
|
+ ("ignore out-of-range index %d to Strings[]", nn));
|
|
+ _nc_warning("corrupt data found in convert_strings");
|
|
+ }
|
|
+ Strings[i] = ABSENT_STRING;
|
|
+ }
|
|
}
|
|
|
|
/* make sure all strings are NUL terminated */
|