Overview

File CVE-2018-11683.patch of Package liblouis.24590

From e7eee2b7926668360a0d8e2abee6c35a00ebce3c Mon Sep 17 00:00:00 2001
From: Christian Egli <christian.egli@sbs.ch>
Date: Mon, 4 Jun 2018 12:02:13 +0200
Subject: [PATCH] Fix yet another buffer overflow in the braille table parser

Reported by Henri Salo

Fixes #591

Rebased by Mike Gorse <mgorse@suse.com>
---
diff -urp liblouis-3.3.0.orig/liblouis/compileTranslationTable.c liblouis-3.3.0/liblouis/compileTranslationTable.c
--- liblouis-3.3.0.orig/liblouis/compileTranslationTable.c	2018-08-08 09:55:37.090180902 -0500
+++ liblouis-3.3.0/liblouis/compileTranslationTable.c	2018-08-08 10:34:10.831574164 -0500
@@ -1453,14 +1453,14 @@ parseChars (FileInfo * nested,
 	    }
 	  utf32 = (utf32 << 6) + (token->chars[in++] & 0x3f);
 	}
-      if (CHARSIZE == 2 && utf32 > 0xffff)
-	utf32 = 0xffff;
-      result->chars[out++] = (widechar) utf32;
       if (out >= MAXSTRING)
 	{
 	  result->length = lastOutSize;
 	  return 1;
 	}
+      if (CHARSIZE == 2 && utf32 > 0xffff)
+	utf32 = 0xffff;
+      result->chars[out++] = (widechar) utf32;
     }
   result->length = out;
   return 1;
diff -urp liblouis-3.3.0.orig/tools/lou_translate.c liblouis-3.3.0/tools/lou_translate.c
--- liblouis-3.3.0.orig/tools/lou_translate.c	2017-09-04 09:40:14.000000000 -0500
+++ liblouis-3.3.0/tools/lou_translate.c	2018-08-08 10:35:53.064563859 -0500
@@ -33,8 +33,6 @@
 #include "unistr.h"
 #include "version-etc.h"
 
-#define BUFSIZE MAXSTRING - 4
-
 static int forward_flag = 0;
 static int backward_flag = 0;
 
@@ -57,11 +55,11 @@ const char version_etc_copyright[] =
 static void 
 translate_input (int forward_translation, char *table_name)
 {
-  char charbuf[BUFSIZE];
+  char charbuf[MAXSTRING];
   char *outputbuf;
   size_t outlen;
-  widechar inbuf[BUFSIZE];
-  widechar transbuf[BUFSIZE];
+  widechar inbuf[MAXSTRING];
+  widechar transbuf[MAXSTRING];
   int inlen;
   int translen;
   int k;
@@ -69,9 +67,9 @@ translate_input (int forward_translation
   int result;
   while (1)
     {
-      translen = BUFSIZE;
+      translen = MAXSTRING;
       k = 0;
-      while ((ch = fgetc(input)) != '\n' && ch != EOF && k < BUFSIZE-1)
+      while ((ch = fgetc(input)) != '\n' && ch != EOF && k < MAXSTRING-1)
 	charbuf[k++] = ch;
       if (ch == EOF && k == 0)
 	break;
openSUSE Build Service is sponsored by
Places