File ncurses-5.9-bsc1046853_1046858.dif of Package ncurses
Based on patch 20170701 for ncurses 6.0
Fixes for CVE-2017-10684 and CVE-2017-10685
---
ncurses/tinfo/alloc_entry.c | 6 +++++-
ncurses/tinfo/parse_entry.c | 22 ++++++++++++----------
progs/dump_entry.c | 30 +++++++++++++++++++-----------
3 files changed, 36 insertions(+), 22 deletions(-)
--- ncurses/tinfo/alloc_entry.c
+++ ncurses/tinfo/alloc_entry.c 2017-07-03 07:33:48.632335860 +0000
@@ -96,7 +96,11 @@ _nc_save_str(const char *const string)
{
char *result = 0;
size_t old_next_free = next_free;
- size_t len = strlen(string) + 1;
+ size_t len;
+
+ if (string == 0)
+ return _nc_save_str("");
+ len = strlen(string) + 1;
if (len == 1 && next_free != 0) {
/*
--- ncurses/tinfo/parse_entry.c
+++ ncurses/tinfo/parse_entry.c 2017-07-03 07:38:49.494834364 +0000
@@ -236,13 +236,14 @@ _nc_parse_entry(struct entry *entryp, in
* implemented it. Note that the resulting terminal type was never the
* 2-character name, but was instead the first alias after that.
*/
+#define ok_TC2(s) (isgraph(UChar(s)) && (s) != '|')
ptr = _nc_curr_token.tk_name;
if (_nc_syntax == SYN_TERMCAP
#if NCURSES_XNAMES
&& !_nc_user_definable
#endif
) {
- if (ptr[2] == '|') {
+ if (ok_TC2(ptr[0]) && ok_TC2(ptr[1]) && ptr[2] == '|') {
ptr += 3;
_nc_curr_token.tk_name[2] = '\0';
}
@@ -284,9 +285,11 @@ _nc_parse_entry(struct entry *entryp, in
if (is_use || is_tc) {
entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
entryp->uses[entryp->nuses].line = _nc_curr_line;
- entryp->nuses++;
- if (entryp->nuses > 1 && is_tc) {
- BAD_TC_USAGE
+ if (VALID_STRING(entryp->uses[entryp->nuses].name)) {
+ entryp->nuses++;
+ if (entryp->nuses > 1 && is_tc) {
+ BAD_TC_USAGE
+ }
}
} else {
/* normal token lookup */
@@ -571,7 +574,7 @@ append_acs0(string_desc * dst, int code,
static void
append_acs(string_desc * dst, int code, char *src)
{
- if (src != 0 && strlen(src) == 1) {
+ if (VALID_STRING(src) && strlen(src) == 1) {
append_acs0(dst, code, *src);
}
}
@@ -829,15 +832,14 @@ postprocess_termcap(TERMTYPE *tp, bool h
}
if (tp->Strings[to_ptr->nte_index]) {
+ const char *s = tp->Strings[from_ptr->nte_index];
+ const char *t = tp->Strings[to_ptr->nte_index];
/* There's no point in warning about it if it's the same
* string; that's just an inefficiency.
*/
- if (strcmp(
- tp->Strings[from_ptr->nte_index],
- tp->Strings[to_ptr->nte_index]) != 0)
+ if (VALID_STRING(s) && VALID_STRING(t) && strcmp(s, t) != 0)
_nc_warning("%s (%s) already has an explicit value %s, ignoring ko",
- ap->to, ap->from,
- _nc_visbuf(tp->Strings[to_ptr->nte_index]));
+ ap->to, ap->from, t);
continue;
}
--- progs/dump_entry.c
+++ progs/dump_entry.c 2017-07-03 07:49:22.131096596 +0000
@@ -609,9 +609,10 @@ fmt_entry(TERMTYPE *tterm,
PredIdx num_strings = 0;
bool outcount = 0;
-#define WRAP_CONCAT \
- wrap_concat(buffer); \
- outcount = TRUE
+#define WRAP_CONCAT1(s) wrap_concat(s); outcount = TRUE
+#define WRAP_CONCAT2(a,b) wrap_concat(a); WRAP_CONCAT1(b)
+#define WRAP_CONCAT3(a,b,c) wrap_concat(a); WRAP_CONCAT2(b,c)
+#define WRAP_CONCAT WRAP_CONCAT1(buffer)
len = 12; /* terminfo file-header */
@@ -802,13 +803,21 @@ fmt_entry(TERMTYPE *tterm,
_nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer))
"%s=!!! %s WILL NOT CONVERT !!!",
name, srccap);
+ WRAP_CONCAT;
} else if (suppress_untranslatable) {
continue;
} else {
char *s = srccap, *d = buffer;
- _nc_SPRINTF(d, _nc_SLIMIT(sizeof(buffer)) "..%s=", name);
- d += strlen(d);
+ WRAP_CONCAT3("..", name, "=");
while ((*d = *s++) != 0) {
+ if ((d - buffer - 1) >= (int) sizeof(buffer)) {
+ fprintf(stderr,
+ "%s: value for %s is too long\n",
+ _nc_progname,
+ name);
+ *d = '\0';
+ break;
+ }
if (*d == ':') {
*d++ = '\\';
*d = ':';
@@ -817,13 +826,12 @@ fmt_entry(TERMTYPE *tterm,
}
d++;
}
+ WRAP_CONCAT;
}
} else {
- _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer))
- "%s=%s", name, cv);
+ WRAP_CONCAT3(name, "=", cv);
}
len += (int) strlen(capability) + 1;
- WRAP_CONCAT;
} else {
char *src = _nc_tic_expand(capability,
outform == F_TERMINFO, numbers);
@@ -839,8 +847,7 @@ fmt_entry(TERMTYPE *tterm,
strcpy_DYN(&tmpbuf, src);
}
len += (int) strlen(capability) + 1;
- wrap_concat(tmpbuf.text);
- outcount = TRUE;
+ WRAP_CONCAT1(tmpbuf.text);
}
}
/* e.g., trimmed_sgr0 */
@@ -1203,7 +1210,8 @@ dump_entry(TERMTYPE *tterm,
}
if (len > critlen) {
(void) fprintf(stderr,
- "warning: %s entry is %d bytes long\n",
+ "%s: %s entry is %d bytes long\n",
+ _nc_progname,
_nc_first_name(tterm->term_names),
len);
SHOW_WHY("# WARNING: this entry, %d bytes long, may core-dump %s libraries!\n",