File CVE-2018-11577.patch of Package liblouis.8491

From 7e135b9313ad06218dfcf9ed63070edede7745a1 Mon Sep 17 00:00:00 2001
From: Christian Egli <christian.egli@sbs.ch>
Date: Thu, 31 May 2018 12:08:56 +0200
Subject: [PATCH] Fix yet another buffer overflow in the braille table parser

Reported by Edward-L

Fixes #582

Backported by Mike Gorse <mgorse@suse.com>
---
diff -urp liblouis-3.3.0.orig/liblouis/compileTranslationTable.c liblouis-3.3.0/liblouis/compileTranslationTable.c
--- liblouis-3.3.0.orig/liblouis/compileTranslationTable.c	2018-08-07 16:42:53.403802884 -0500
+++ liblouis-3.3.0/liblouis/compileTranslationTable.c	2018-08-07 18:18:30.692918915 -0500
@@ -2874,6 +2874,10 @@ compilePassOpcode (FileInfo * nested,
       passLinepos = 0;
       while (passLinepos <= endTest)
 	{
+			if (passIC >= MAXSTRING) {
+				compileError(passNested, "Test part in multipass operand too long");
+				return 0;
+			}
 	  switch ((passSubOp = passLine.chars[passLinepos]))
 	    {
 	    case pass_lookback:
@@ -3073,6 +3077,10 @@ compilePassOpcode (FileInfo * nested,
       while (passLinepos < passLine.length &&
 	     passLine.chars[passLinepos] > 32)
 	{
+			if (passIC >= MAXSTRING) {
+				compileError(passNested, "Action part in multipass operand too long");
+				return 0;
+			}
 	  switch ((passSubOp = passLine.chars[passLinepos]))
 	    {
 	    case pass_string:
@@ -3096,8 +3104,14 @@ compilePassOpcode (FileInfo * nested,
 	      if (passHoldString.length == 0)
 		return 0;
 	      passInstructions[passIC++] = passHoldString.length;
-	      for (kk = 0; kk < passHoldString.length; kk++)
+				for (kk = 0; kk < passHoldString.length; kk++) {
+					if (passIC >= MAXSTRING) {
+						compileError(passNested,
+								"@ operand in action part of multipass operand too long");
+						return 0;
+					}
 		passInstructions[passIC++] = passHoldString.chars[kk];
+				}
 	      break;
 	    case pass_variable:
 	      passLinepos++;
openSUSE Build Service is sponsored by