File liblouis-CVE-2022-31783.patch of Package liblouis.24586
From 2e4772befb2b1c37cb4b9d6572945115ee28630a Mon Sep 17 00:00:00 2001
From: Christian Egli <christian.egli@sbs.ch>
Date: Wed, 25 May 2022 18:08:36 +0200
Subject: [PATCH] Prevent an invalid memory writes in compileRule
Thanks to Han Zheng for reporting it
Fixes #1214
---
liblouis/compileTranslationTable.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
index 482ff1a6..43785245 100644
--- a/liblouis/compileTranslationTable.c
+++ b/liblouis/compileTranslationTable.c
@@ -3821,12 +3821,14 @@ doOpcode:
case CTO_SeqAfterExpression:
if (!getRuleCharsText(file, &ruleChars)) return 0;
- for ((*table)->seqAfterExpressionLength = 0;
- (*table)->seqAfterExpressionLength < ruleChars.length;
- (*table)->seqAfterExpressionLength++)
- (*table)->seqAfterExpression[(*table)->seqAfterExpressionLength] =
- ruleChars.chars[(*table)->seqAfterExpressionLength];
- (*table)->seqAfterExpression[(*table)->seqAfterExpressionLength] = 0;
+ if ((ruleChars.length + 1) > SEQPATTERNSIZE) {
+ compileError(file, "More than %d characters", SEQPATTERNSIZE);
+ return 0;
+ }
+ for (int k = 0; k < ruleChars.length; k++)
+ (*table)->seqAfterExpression[k] = ruleChars.chars[k];
+ (*table)->seqAfterExpression[ruleChars.length] = 0;
+ (*table)->seqAfterExpressionLength = ruleChars.length;
return 1;
case CTO_CapsModeChars:
--
2.36.1