summaryrefslogtreecommitdiff
path: root/liblouis-3.16.1-fix-CVE-2023-26769.patch
diff options
context:
space:
mode:
Diffstat (limited to 'liblouis-3.16.1-fix-CVE-2023-26769.patch')
-rw-r--r--liblouis-3.16.1-fix-CVE-2023-26769.patch162
1 files changed, 162 insertions, 0 deletions
diff --git a/liblouis-3.16.1-fix-CVE-2023-26769.patch b/liblouis-3.16.1-fix-CVE-2023-26769.patch
new file mode 100644
index 0000000..aac94a6
--- /dev/null
+++ b/liblouis-3.16.1-fix-CVE-2023-26769.patch
@@ -0,0 +1,162 @@
+From d45430431f8c75941f863328eb3f7fc09f902b2e Mon Sep 17 00:00:00 2001
+From: Marsman1996 <lqliuyuwei@outlook.com>
+Date: Wed, 8 Feb 2023 22:10:01 +0800
+Subject: [PATCH 1/3] Check the path length before coping into tableFile
+
+---
+ liblouis/compileTranslationTable.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
+index 3c74929bcb..2da766e169 100644
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -4539,7 +4539,9 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ char *tableFile;
+ static struct stat info;
+
+- if (table == NULL || table[0] == '\0') return NULL;
++ if (table == NULL || table[0] == '\0' ||
++ strlen(table) >= MAXSTRING * sizeof(char) * 2)
++ return NULL;
+ tableFile = (char *)malloc(MAXSTRING * sizeof(char) * 2);
+
+ //
+@@ -4547,10 +4549,13 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ //
+ if (base) {
+ int k;
++ if (strlen(base) >= MAXSTRING * sizeof(char) * 2) goto failure;
+ strcpy(tableFile, base);
+ k = (int)strlen(tableFile);
+ while (k >= 0 && tableFile[k] != '/' && tableFile[k] != '\\') k--;
+ tableFile[++k] = '\0';
++ if (strlen(tableFile) + strlen(table) >= MAXSTRING * sizeof(char) * 2)
++ goto failure;
+ strcat(tableFile, table);
+ if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
+ _lou_logMessage(LOU_LOG_DEBUG, "found table %s", tableFile);
+@@ -4582,6 +4587,10 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ last = (*cp == '\0');
+ *cp = '\0';
+ if (dir == cp) dir = ".";
++ if (strlen(dir) + strlen(table) + 1 >= MAXSTRING * sizeof(char) * 2) {
++ free(searchPath_copy);
++ goto failure;
++ }
+ sprintf(tableFile, "%s%c%s", dir, DIR_SEP, table);
+ if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
+ _lou_logMessage(LOU_LOG_DEBUG, "found table %s", tableFile);
+@@ -4589,6 +4598,10 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ return tableFile;
+ }
+ if (last) break;
++ if (strlen(dir) + strlen(table) + 16 >= MAXSTRING * sizeof(char) * 2) {
++ free(searchPath_copy);
++ goto failure;
++ }
+ sprintf(tableFile, "%s%c%s%c%s%c%s", dir, DIR_SEP, "liblouis", DIR_SEP,
+ "tables", DIR_SEP, table);
+ if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
+@@ -4600,6 +4613,7 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ }
+ free(searchPath_copy);
+ }
++failure:
+ free(tableFile);
+ return NULL;
+ }
+
+From 6f39e88745e8ec602ccc46042c305a6188f28b0a Mon Sep 17 00:00:00 2001
+From: Marsman1996 <lqliuyuwei@outlook.com>
+Date: Wed, 8 Feb 2023 22:40:52 +0800
+Subject: [PATCH 2/3] fix format: 1. define MAX_TABLEFILE_SIZE 2. parse the
+ magic number
+
+---
+ liblouis/compileTranslationTable.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
+index 2da766e169..f334a38371 100644
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -4539,23 +4539,21 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ char *tableFile;
+ static struct stat info;
+
+- if (table == NULL || table[0] == '\0' ||
+- strlen(table) >= MAXSTRING * sizeof(char) * 2)
+- return NULL;
+- tableFile = (char *)malloc(MAXSTRING * sizeof(char) * 2);
++#define MAX_TABLEFILE_SIZE MAXSTRING * sizeof(char) * 2
++ if (table == NULL || table[0] == '\0') return NULL;
++ tableFile = (char *)malloc(MAX_TABLEFILE_SIZE);
+
+ //
+ // First try to resolve against base
+ //
+ if (base) {
+ int k;
+- if (strlen(base) >= MAXSTRING * sizeof(char) * 2) goto failure;
++ if (strlen(base) >= MAX_TABLEFILE_SIZE) goto failure;
+ strcpy(tableFile, base);
+ k = (int)strlen(tableFile);
+ while (k >= 0 && tableFile[k] != '/' && tableFile[k] != '\\') k--;
+ tableFile[++k] = '\0';
+- if (strlen(tableFile) + strlen(table) >= MAXSTRING * sizeof(char) * 2)
+- goto failure;
++ if (strlen(tableFile) + strlen(table) >= MAX_TABLEFILE_SIZE) goto failure;
+ strcat(tableFile, table);
+ if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
+ _lou_logMessage(LOU_LOG_DEBUG, "found table %s", tableFile);
+@@ -4567,6 +4565,7 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ // It could be an absolute path, or a path relative to the current working
+ // directory
+ //
++ if (strlen(table) >= MAX_TABLEFILE_SIZE) goto failure;
+ strcpy(tableFile, table);
+ if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
+ _lou_logMessage(LOU_LOG_DEBUG, "found table %s", tableFile);
+@@ -4587,7 +4586,7 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ last = (*cp == '\0');
+ *cp = '\0';
+ if (dir == cp) dir = ".";
+- if (strlen(dir) + strlen(table) + 1 >= MAXSTRING * sizeof(char) * 2) {
++ if (strlen(dir) + strlen(table) + 1 >= MAX_TABLEFILE_SIZE) {
+ free(searchPath_copy);
+ goto failure;
+ }
+@@ -4598,7 +4597,8 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ return tableFile;
+ }
+ if (last) break;
+- if (strlen(dir) + strlen(table) + 16 >= MAXSTRING * sizeof(char) * 2) {
++ if (strlen(dir) + strlen("liblouis") + strlen("tables") + strlen(table) + 3 >=
++ MAX_TABLEFILE_SIZE) {
+ free(searchPath_copy);
+ goto failure;
+ }
+
+From 9f6cec9b63c1d9396fcc32fed77267a2815b648f Mon Sep 17 00:00:00 2001
+From: Marsman1996 <lqliuyuwei@outlook.com>
+Date: Wed, 8 Feb 2023 23:01:56 +0800
+Subject: [PATCH 3/3] add parentheses for define expression
+
+---
+ liblouis/compileTranslationTable.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
+index f334a38371..3575792796 100644
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -4539,7 +4539,7 @@ resolveSubtable(const char *table, const char *base, const char *searchPath) {
+ char *tableFile;
+ static struct stat info;
+
+-#define MAX_TABLEFILE_SIZE MAXSTRING * sizeof(char) * 2
++#define MAX_TABLEFILE_SIZE (MAXSTRING * sizeof(char) * 2)
+ if (table == NULL || table[0] == '\0') return NULL;
+ tableFile = (char *)malloc(MAX_TABLEFILE_SIZE);
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-29 21:36:06 +0000