File fix-for-CVE-2019-19917-and-CVE-2019-19918.patch of Package lout

Overview Repositories Revisions Requests Users Attributes Meta

File fix-for-CVE-2019-19917-and-CVE-2019-19918.patch of Package lout (Revision 9e4743a73650f229342ed8b7211d2906)

Currently displaying revision 9e4743a73650f229342ed8b7211d2906 , Show latest

From 66635de582adad18fb31ff9060a77a9a0cc63357 Mon Sep 17 00:00:00 2001
From: William Bader <williambader@hotmail.com>
Date: Thu, 22 Oct 2020 22:55:28 +0000
Subject: [PATCH] Fix for CVE-2019-19917 and CVE-2019-19918

The one in StringQuotedWord was more complicated because it was
due to a string longer than MAX_BUFF, and when I fixed the access
there, other places had errors.

The one in srcnext needed only an extra test in a loop.

I tested the manual in doc/user before and after, and the only
differences seemed to be places that embedded the current time.
---
 externs.h | 4 ++++
 z02.c     | 2 +-
 z33.c     | 7 +++++--
 z39.c     | 8 +++++---
 4 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/externs.h b/externs.h
index 8ea7f69..ccbd839 100644
--- a/externs.h
+++ b/externs.h
@@ -260,6 +260,9 @@ If you're compiling this, you've got the wrong settings in the makefile!
 /*                      that can appear correctly on one page.  Can be       */
 /*                      increased to any small positive integer.             */
 /*                                                                           */
+/*  MAX_FORMAT          The maximum number of characters for sscanf formats  */
+/*                      for splitting strings with tab-delimited fields.     */
+/*                                                                           */
 /*****************************************************************************/
 
 #define	MAX_FULL_LENGTH	8388607	/* 2**23 - 1, about 148 metres */
@@ -275,6 +278,7 @@ If you're compiling this, you've got the wrong settings in the makefile!
 #define	MAX_LEX_STACK	20
 #define	MAX_CHARS	256
 #define MAX_HCOPIES	3
+#define MAX_FORMAT	100
 
 /*****************************************************************************/
 /*                                                                           */
diff --git a/z02.c b/z02.c
index 6e3cf03..d0b6a12 100644
--- a/z02.c
+++ b/z02.c
@@ -379,7 +379,7 @@ static void srcnext(void)
   if( blksize != 0 && chpt < limit )
   { debugcond0(DLA, DD, stack_free <= 1, "srcnext: transferring.");
     col = buf;
-    while( chtbl[(*--col = *--limit)] != NEWLINE );
+    while( col > mem_block && chtbl[(*--col = *--limit)] != NEWLINE );
     frst = col + 1;  limit++;  blksize = 0;
   }
 
diff --git a/z33.c b/z33.c
index 3cc568e..c867838 100644
--- a/z33.c
+++ b/z33.c
@@ -848,6 +848,7 @@ BOOLEAN DbRetrieve(OBJECT db, BOOLEAN gall, OBJECT sym, FULL_CHAR *tag,
 BOOLEAN DbRetrieveNext(OBJECT db, BOOLEAN *gall, OBJECT *sym, FULL_CHAR *tag,
   FULL_CHAR *seq, FILE_NUM *dfnum, long *dfpos, int *dlnum, long *cont)
 { FULL_CHAR line[MAX_BUFF], *cline, fname[MAX_BUFF]; int symnum;
+  char format[MAX_FORMAT];
   ifdebug(DPP, D, ProfileOn("DbRetrieveNext"));
   debug2(DBS, DD, "DbRetrieveNext( %s, %ld )", string(db), *cont);
   assert(reading(db), "DbRetrieveNext: not reading");
@@ -859,6 +860,8 @@ BOOLEAN DbRetrieveNext(OBJECT db, BOOLEAN *gall, OBJECT *sym, FULL_CHAR *tag,
     return FALSE;
   }
 
+  sprintf(format, "%%d&%%%d[^\t]\t%%%d[^\t]\t%%*[^\t]\t%%ld\t%%d\t%%%d[^\n\f]", MAX_BUFF-1, MAX_BUFF-1, MAX_BUFF-1);
+
   if( in_memory(db) )
   {
     /* get next entry from internal database */
@@ -869,7 +872,7 @@ BOOLEAN DbRetrieveNext(OBJECT db, BOOLEAN *gall, OBJECT *sym, FULL_CHAR *tag,
     }
     cline = (FULL_CHAR *) db_lines(db)[*cont];
     *gall = (cline[0] == '0' ? 1 : 0);
-    sscanf((char *)&cline[*gall], "%d&%[^\t]\t%[^\t]\t%*[^\t]\t%ld\t%d\t%[^\n\f]",
+    sscanf((char *)&cline[*gall], format,
       &symnum, tag, seq, dfpos, dlnum, fname);
     *cont = *cont + 1;
   }
@@ -883,7 +886,7 @@ BOOLEAN DbRetrieveNext(OBJECT db, BOOLEAN *gall, OBJECT *sym, FULL_CHAR *tag,
       return FALSE;
     }
     *gall = (line[0] == '0' ? 1 : 0);
-    sscanf((char *)&line[*gall], "%d&%[^\t]\t%[^\t]\t%*[^\t]\t%ld\t%d\t%[^\n\f]",
+    sscanf((char *)&line[*gall], format,
       &symnum, tag, seq, dfpos, dlnum, fname);
     *cont = ftell(db_filep(db));
   }
diff --git a/z39.c b/z39.c
index 4a06b58..ab0ac8d 100644
--- a/z39.c
+++ b/z39.c
@@ -79,11 +79,13 @@ int strcollcmp(char *a, char *b)
 int strcollcmp(char *a, char *b)
 { char a1[MAX_BUFF], a2[MAX_BUFF], a3[MAX_BUFF];
   char b1[MAX_BUFF], b2[MAX_BUFF], b3[MAX_BUFF];
+  char format[MAX_FORMAT];
   int order;
+  sprintf(format, "%%%d[^\t]\t%%%d[^\t]\t%%%d[^\t]", MAX_BUFF-1, MAX_BUFF-1, MAX_BUFF-1);
   a1[0] = a2[0] = a3[0] = '\0';
-  sscanf(a, "%[^\t]\t%[^\t]\t%[^\t]", a1, a2, a3);
+  sscanf(a, format, a1, a2, a3);
   b1[0] = b2[0] = b3[0] = '\0';
-  sscanf(b, "%[^\t]\t%[^\t]\t%[^\t]", b1, b2, b3);
+  sscanf(b, format, b1, b2, b3);
   order = strcoll(a1, b1);
   if( order == 0 )
   {
@@ -251,7 +253,7 @@ FULL_CHAR *StringQuotedWord(OBJECT x)
   *q++ = CH_QUOTE;
   for( p = string(x);  *p != '\0';  p++ )
   { 
-    for( r = (FULL_CHAR *) quoted_string[*p];  *r != '\0';  *q++ = *r++ );
+    for( r = (FULL_CHAR *) quoted_string[*p];  *r != '\0' && q < &buff[MAX_BUFF-2];  *q++ = *r++ );
   }
   *q++ = CH_QUOTE;
   *q++ = '\0';
-- 
2.45.1

Places

File fix-for-CVE-2019-19917-and-CVE-2019-19918.patch of Package lout (Revision 9e4743a73650f229342ed8b7211d2906)

Places