File liblouis-CVE-2022-26981.patch of Package liblouis.28479
From 73751be7a5617bfff4a735ae095203a2d3ec50ef Mon Sep 17 00:00:00 2001
From: Martin Gieseking <martin.gieseking@uos.de>
Date: Tue, 22 Mar 2022 15:31:04 +0100
Subject: [PATCH] Prevent writing past CharString memory in compilePassOpcode
---
diff -urp liblouis-3.11.0.orig/liblouis/compileTranslationTable.c liblouis-3.11.0/liblouis/compileTranslationTable.c
--- liblouis-3.11.0.orig/liblouis/compileTranslationTable.c 2019-08-28 04:15:13.000000000 -0500
+++ liblouis-3.11.0/liblouis/compileTranslationTable.c 2022-06-03 10:46:27.507040496 -0500
@@ -1726,6 +1726,17 @@ verifyStringOrDots(FileInfo *nested, Tra
}
static int
+appendInstructionChar(
+ const FileInfo *file, widechar *passInstructions, int *passIC, widechar ch) {
+ if (*passIC >= MAXSTRING) {
+ compileError(file, "multipass operand too long");
+ return 0;
+ }
+ passInstructions[(*passIC)++] = ch;
+ return 1;
+}
+
+static int
compilePassOpcode(FileInfo *nested, TranslationTableOpcode opcode,
CharacterClass *characterClasses, TranslationTableOffset *newRuleOffset,
TranslationTableRule **newRule, int noback, int nofor, RuleName *ruleNames,
@@ -1769,32 +1780,34 @@ compilePassOpcode(FileInfo *nested, Tran
passLine.chars[endTest] = pass_endTest;
passLinepos = 0;
while (passLinepos <= endTest) {
- if (passIC >= MAXSTRING) {
- compileError(passNested, "Test part in multipass operand too long");
- return 0;
- }
switch ((passSubOp = passLine.chars[passLinepos])) {
case pass_lookback:
- passInstructions[passIC++] = pass_lookback;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_lookback))
+ return 0;
passLinepos++;
passGetNumber(&passLine, &passLinepos, &passHoldNumber);
if (passHoldNumber == 0) passHoldNumber = 1;
- passInstructions[passIC++] = passHoldNumber;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, passHoldNumber))
+ return 0;
break;
case pass_not:
- passInstructions[passIC++] = pass_not;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_not))
+ return 0;
passLinepos++;
break;
case pass_first:
- passInstructions[passIC++] = pass_first;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_first))
+ return 0;
passLinepos++;
break;
case pass_last:
- passInstructions[passIC++] = pass_last;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_last))
+ return 0;
passLinepos++;
break;
case pass_search:
- passInstructions[passIC++] = pass_search;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_search))
+ return 0;
passLinepos++;
break;
case pass_string:
@@ -1802,7 +1815,8 @@ compilePassOpcode(FileInfo *nested, Tran
return 0;
}
passLinepos++;
- passInstructions[passIC++] = pass_string;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_string))
+ return 0;
passGetString(&passLine, &passLinepos, &passHoldString, passNested);
goto testDoCharsDots;
case pass_dots:
@@ -1810,7 +1824,8 @@ compilePassOpcode(FileInfo *nested, Tran
return 0;
}
passLinepos++;
- passInstructions[passIC++] = pass_dots;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_dots))
+ return 0;
passGetDots(&passLine, &passLinepos, &passHoldString, passNested);
testDoCharsDots:
if (passHoldString.length == 0) return 0;
@@ -1819,22 +1834,29 @@ compilePassOpcode(FileInfo *nested, Tran
"@ operand in test part of multipass operand too long");
return 0;
}
- passInstructions[passIC++] = passHoldString.length;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, passHoldString.length))
+ return 0;
for (kk = 0; kk < passHoldString.length; kk++) {
if (passIC >= MAXSTRING) {
compileError(passNested,
"@ operand in test part of multipass operand too long");
return 0;
}
- passInstructions[passIC++] = passHoldString.chars[kk];
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, passHoldString.chars[kk]))
+ return 0;
}
break;
case pass_startReplace:
- passInstructions[passIC++] = pass_startReplace;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, pass_startReplace))
+ return 0;
passLinepos++;
break;
case pass_endReplace:
- passInstructions[passIC++] = pass_endReplace;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_endReplace))
+ return 0;
passLinepos++;
break;
case pass_variable:
@@ -1843,26 +1865,37 @@ compilePassOpcode(FileInfo *nested, Tran
return 0;
switch (passLine.chars[passLinepos]) {
case pass_eq:
- passInstructions[passIC++] = pass_eq;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_eq))
+ return 0;
goto doComp;
case pass_lt:
if (passLine.chars[passLinepos + 1] == pass_eq) {
passLinepos++;
- passInstructions[passIC++] = pass_lteq;
- } else
- passInstructions[passIC++] = pass_lt;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, pass_lteq))
+ return 0;
+ } else if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, pass_lt))
+ return 0;
goto doComp;
case pass_gt:
if (passLine.chars[passLinepos + 1] == pass_eq) {
passLinepos++;
- passInstructions[passIC++] = pass_gteq;
- } else
- passInstructions[passIC++] = pass_gt;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, pass_gteq))
+ return 0;
+ } else if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, pass_gt))
+ return 0;
doComp:
- passInstructions[passIC++] = passHoldNumber;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, passHoldNumber))
+ return 0;
passLinepos++;
passGetNumber(&passLine, &passLinepos, &passHoldNumber);
- passInstructions[passIC++] = passHoldNumber;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, passHoldNumber))
+ return 0;
break;
default:
compileError(passNested, "incorrect comparison operator");
@@ -1874,25 +1907,34 @@ compilePassOpcode(FileInfo *nested, Tran
if (!passGetAttributes(&passLine, &passLinepos, &passAttributes, passNested))
return 0;
insertAttributes:
- passInstructions[passIC++] = pass_attributes;
- passInstructions[passIC++] = passAttributes >> 16;
- passInstructions[passIC++] = passAttributes & 0xffff;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_attributes))
+ return 0;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, (passAttributes >> 16) & 0xffff))
+ return 0;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, passAttributes & 0xffff))
+ return 0;
getRange:
if (passLine.chars[passLinepos] == pass_until) {
passLinepos++;
- passInstructions[passIC++] = 1;
- passInstructions[passIC++] = 0xffff;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, 1)) return 0;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, 0xffff))
+ return 0;
break;
}
passGetNumber(&passLine, &passLinepos, &passHoldNumber);
if (passHoldNumber == 0) {
- passHoldNumber = passInstructions[passIC++] = 1;
- passInstructions[passIC++] = 1; /* This is not an error */
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, 1)) return 0;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, 1)) return 0;
break;
}
- passInstructions[passIC++] = passHoldNumber;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, passHoldNumber))
+ return 0;
if (passLine.chars[passLinepos] != pass_hyphen) {
- passInstructions[passIC++] = passHoldNumber;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, passHoldNumber))
+ return 0;
break;
}
passLinepos++;
@@ -1901,7 +1943,8 @@ compilePassOpcode(FileInfo *nested, Tran
compileError(passNested, "invalid range");
return 0;
}
- passInstructions[passIC++] = passHoldNumber;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, passHoldNumber))
+ return 0;
break;
case pass_groupstart:
case pass_groupend:
@@ -1911,9 +1954,14 @@ compilePassOpcode(FileInfo *nested, Tran
if (ruleOffset)
rule = (TranslationTableRule *)&(*table)->ruleArea[ruleOffset];
if (rule && rule->opcode == CTO_Grouping) {
- passInstructions[passIC++] = passSubOp;
- passInstructions[passIC++] = ruleOffset >> 16;
- passInstructions[passIC++] = ruleOffset & 0xffff;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, passSubOp))
+ return 0;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, ruleOffset >> 16))
+ return 0;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, ruleOffset & 0xffff))
+ return 0;
break;
} else {
compileError(passNested, "%s is not a grouping name",
@@ -1935,16 +1983,22 @@ compilePassOpcode(FileInfo *nested, Tran
if (rule &&
(rule->opcode == CTO_SwapCc || rule->opcode == CTO_SwapCd ||
rule->opcode == CTO_SwapDd)) {
- passInstructions[passIC++] = pass_swap;
- passInstructions[passIC++] = ruleOffset >> 16;
- passInstructions[passIC++] = ruleOffset & 0xffff;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_swap))
+ return 0;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, ruleOffset >> 16))
+ return 0;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, ruleOffset & 0xffff))
+ return 0;
goto getRange;
}
compileError(passNested, "%s is neither a class name nor a swap name.",
_lou_showString(&passHoldString.chars[0], passHoldString.length, 0));
return 0;
case pass_endTest:
- passInstructions[passIC++] = pass_endTest;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_endTest))
+ return 0;
passLinepos++;
break;
default:
@@ -1969,7 +2023,8 @@ compilePassOpcode(FileInfo *nested, Tran
return 0;
}
passLinepos++;
- passInstructions[passIC++] = pass_string;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_string))
+ return 0;
passGetString(&passLine, &passLinepos, &passHoldString, passNested);
goto actionDoCharsDots;
case pass_dots:
@@ -1978,7 +2033,8 @@ compilePassOpcode(FileInfo *nested, Tran
}
passLinepos++;
passGetDots(&passLine, &passLinepos, &passHoldString, passNested);
- passInstructions[passIC++] = pass_dots;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_dots))
+ return 0;
actionDoCharsDots:
if (passHoldString.length == 0) return 0;
if (passIC >= MAXSTRING) {
@@ -1986,14 +2042,18 @@ compilePassOpcode(FileInfo *nested, Tran
"@ operand in action part of multipass operand too long");
return 0;
}
- passInstructions[passIC++] = passHoldString.length;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, passHoldString.length))
+ return 0;
for (kk = 0; kk < passHoldString.length; kk++) {
if (passIC >= MAXSTRING) {
compileError(passNested,
"@ operand in action part of multipass operand too long");
return 0;
}
- passInstructions[passIC++] = passHoldString.chars[kk];
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, passHoldString.chars[kk]))
+ return 0;
}
break;
case pass_variable:
@@ -2002,16 +2062,25 @@ compilePassOpcode(FileInfo *nested, Tran
return 0;
switch (passLine.chars[passLinepos]) {
case pass_eq:
- passInstructions[passIC++] = pass_eq;
- passInstructions[passIC++] = passHoldNumber;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_eq))
+ return 0;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, passHoldNumber))
+ return 0;
passLinepos++;
passGetNumber(&passLine, &passLinepos, &passHoldNumber);
- passInstructions[passIC++] = passHoldNumber;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, passHoldNumber))
+ return 0;
break;
case pass_plus:
case pass_hyphen:
- passInstructions[passIC++] = passLine.chars[passLinepos++];
- passInstructions[passIC++] = passHoldNumber;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC,
+ passLine.chars[passLinepos++]))
+ return 0;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, passHoldNumber))
+ return 0;
break;
default:
compileError(passNested, "incorrect variable operator in action part");
@@ -2019,11 +2088,13 @@ compilePassOpcode(FileInfo *nested, Tran
}
break;
case pass_copy:
- passInstructions[passIC++] = pass_copy;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_copy))
+ return 0;
passLinepos++;
break;
case pass_omit:
- passInstructions[passIC++] = pass_omit;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_omit))
+ return 0;
passLinepos++;
break;
case pass_groupreplace:
@@ -2035,9 +2106,14 @@ compilePassOpcode(FileInfo *nested, Tran
if (ruleOffset)
rule = (TranslationTableRule *)&(*table)->ruleArea[ruleOffset];
if (rule && rule->opcode == CTO_Grouping) {
- passInstructions[passIC++] = passSubOp;
- passInstructions[passIC++] = ruleOffset >> 16;
- passInstructions[passIC++] = ruleOffset & 0xffff;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, passSubOp))
+ return 0;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, ruleOffset >> 16))
+ return 0;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, ruleOffset & 0xffff))
+ return 0;
break;
}
compileError(passNested, "%s is not a grouping name",
@@ -2052,9 +2128,14 @@ compilePassOpcode(FileInfo *nested, Tran
if (rule &&
(rule->opcode == CTO_SwapCc || rule->opcode == CTO_SwapCd ||
rule->opcode == CTO_SwapDd)) {
- passInstructions[passIC++] = pass_swap;
- passInstructions[passIC++] = ruleOffset >> 16;
- passInstructions[passIC++] = ruleOffset & 0xffff;
+ if (!appendInstructionChar(passNested, passInstructions, &passIC, pass_swap))
+ return 0;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, ruleOffset >> 16))
+ return 0;
+ if (!appendInstructionChar(
+ passNested, passInstructions, &passIC, ruleOffset & 0xffff))
+ return 0;
break;
}
compileError(passNested, "%s is not a swap name.",
