| |
@@ -0,0 +1,142 @@
|
| |
+ From c9db621bf4f5c9e230148478952de6950f57a283 Mon Sep 17 00:00:00 2001
|
| |
+ From: Ondrej Dubaj <odubaj@redhat.com>
|
| |
+ Date: Wed, 5 Jun 2019 13:06:17 +0200
|
| |
+ Subject: [PATCH] fixed buffer underwrite in read.c:get_line()
|
| |
+
|
| |
+ A buffer underwrite vulnerability in get_line()
|
| |
+ (read.c) in fig2dev allows an attacker to write
|
| |
+ prior to the beginning of the buffer via a
|
| |
+ crafted .fig file.
|
| |
+ ---
|
| |
+ fig2dev/dev/readpcx.c | 2 --
|
| |
+ fig2dev/read.c | 54 ++++++++++++++++++++++++++++++-------------
|
| |
+ 2 files changed, 38 insertions(+), 18 deletions(-)
|
| |
+
|
| |
+ diff --git a/fig2dev/dev/readpcx.c b/fig2dev/dev/readpcx.c
|
| |
+ index 32a266a..d669114 100644
|
| |
+ --- a/fig2dev/dev/readpcx.c
|
| |
+ +++ b/fig2dev/dev/readpcx.c
|
| |
+ @@ -88,8 +88,6 @@ _read_pcx(FILE *pcxfile, F_pic *pic)
|
| |
+ fprintf(tfp, "%% Begin Imported PCX File: %s\n\n", pic->file);
|
| |
+ pic->subtype = P_PCX;
|
| |
+
|
| |
+ - pic->bitmap=NULL;
|
| |
+ -
|
| |
+ fread(&header,1,sizeof(struct pcxhed),pcxfile);
|
| |
+ if (header.manuf!=10 || header.encod!=1)
|
| |
+ return 0;
|
| |
+ diff --git a/fig2dev/read.c b/fig2dev/read.c
|
| |
+ index be9f62c..19c5dc8 100644
|
| |
+ --- a/fig2dev/read.c
|
| |
+ +++ b/fig2dev/read.c
|
| |
+ @@ -199,12 +199,24 @@ read_objects(FILE *fp, F_compound *obj)
|
| |
+ int object, coord_sys, len;
|
| |
+
|
| |
+ memset((char*)obj, '\0', COMOBJ_SIZE);
|
| |
+ +
|
| |
+ (void) fgets(buf, BUF_SIZE, fp); /* get the version line */
|
| |
+ + if (strncmp(buf, "#FIG ", 5)) {
|
| |
+ + put_msg("Incorrect format string in first line of input file.");
|
| |
+ + return -1;
|
| |
+ + }
|
| |
+ +
|
| |
+ + /* remove newline and any carriage return (from a PC, perhaps) */
|
| |
+ len = strlen(buf);
|
| |
+ - if (len > 0)
|
| |
+ - buf[len-1] = '\0'; /* remove newline */
|
| |
+ - if (buf[len-2] == '\r')
|
| |
+ - buf[len-2] = '\0'; /* and any CR (from a PC perhaps) */
|
| |
+ + if (buf[len-1] == '\n') {
|
| |
+ + if (buf[len-2] == '\r')
|
| |
+ + buf[len-2] = '\0';
|
| |
+ + else
|
| |
+ + buf[len-1] = '\0';
|
| |
+ + } else { /* fgets() only stops at newline and end-of-file */
|
| |
+ + put_msg("File is truncated at first line.");
|
| |
+ + return -1;
|
| |
+ + }
|
| |
+
|
| |
+ /* v2_flag is for version 2 or higher */
|
| |
+ v2_flag = (!strncmp(buf, "#FIG 2", 6) || !strncmp(buf, "#FIG 3", 6));
|
| |
+ @@ -854,6 +866,8 @@ read_lineobject(FILE *fp)
|
| |
+ l->next = NULL;
|
| |
+ l->join_style = 0;
|
| |
+ l->cap_style = 0; /* butt line cap */
|
| |
+ + l->pic = NULL;
|
| |
+ + l->comments = NULL;
|
| |
+
|
| |
+ sscanf(buf,"%*d%d",&l->type); /* get the line type */
|
| |
+
|
| |
+ @@ -920,12 +934,18 @@ read_lineobject(FILE *fp)
|
| |
+ note_arrow(type, style);
|
| |
+ }
|
| |
+ if (l->type == T_PIC_BOX) {
|
| |
+ - Pic_malloc(l->pic);
|
| |
+ - l->pic->transp = -1;
|
| |
+ - if (l->pic == NULL) {
|
| |
+ + if ((Pic_malloc(l->pic)) == NULL) {
|
| |
+ free((char *)l);
|
| |
+ return NULL;
|
| |
+ }
|
| |
+ + l->pic->transp = -1;
|
| |
+ + l->pic->bitmap = NULL;
|
| |
+ +#ifdef HAVE_X11_XPM_H
|
| |
+ + /* initialize l->pic->xpmimage by (ab)using a
|
| |
+ + public libxpm-function */
|
| |
+ + XpmCreateXpmImageFromBuffer("", &l->pic->xpmimage, NULL);
|
| |
+ +#endif
|
| |
+ +
|
| |
+ if (get_line(fp) < 0 || sscanf(buf, "%d %[^\n]",
|
| |
+ &l->pic->flipped, file) != 2) {
|
| |
+ put_msg(Err_incomp, "Picture object", line_no);
|
| |
+ @@ -947,8 +967,7 @@ read_lineobject(FILE *fp)
|
| |
+ } else {
|
| |
+ strcpy(l->pic->file, file);
|
| |
+ }
|
| |
+ - } else
|
| |
+ - l->pic = NULL;
|
| |
+ + }
|
| |
+
|
| |
+ if (NULL == (l->points = Point_malloc(p))) {
|
| |
+ put_msg(Err_mem);
|
| |
+ @@ -1029,6 +1048,7 @@ read_splineobject(FILE *fp)
|
| |
+ s->fill_style = 0;
|
| |
+ s->for_arrow = NULL;
|
| |
+ s->back_arrow = NULL;
|
| |
+ + s->comments = NULL;
|
| |
+ s->next = NULL;
|
| |
+
|
| |
+ if (v30_flag) {
|
| |
+ @@ -1200,6 +1220,7 @@ read_textobject(FILE *fp)
|
| |
+ Text_malloc(t);
|
| |
+ t->font = 0;
|
| |
+ t->size = 0.0;
|
| |
+ + t->comments = NULL;
|
| |
+ t->next = NULL;
|
| |
+
|
| |
+ if (v30_flag) { /* order of parms is more like other objects now,
|
| |
+ @@ -1397,13 +1418,14 @@ get_line(FILE *fp)
|
| |
+ if (*buf == '#') { /* save any comments */
|
| |
+ if (save_comment() < 0)
|
| |
+ return -1;
|
| |
+ - } else if (*buf != '\n') { /* Skip empty lines */
|
| |
+ - len = strlen(buf);
|
| |
+ - buf[len-1] = '\0'; /* strip trailing newline */
|
| |
+ - if (buf[len-2] == '\r')
|
| |
+ - buf[len-2] = '\0'; /* strip any trailing CRs */
|
| |
+ - return 1;
|
| |
+ - }
|
| |
+ + /* skip empty lines */
|
| |
+ + } else if (*buf != '\n' || !(*buf == '\r' && buf[1] == '\n')) {
|
| |
+ + len = strlen(buf);
|
| |
+ + /* remove newline and possibly a carriage return */
|
| |
+ + if (buf[len-1] == '\n')
|
| |
+ + buf[len - (buf[len-2] == '\r' ? 2 : 1)] = '\0';
|
| |
+ + return 1;
|
| |
+ + }
|
| |
+ }
|
| |
+ }
|
| |
+
|
| |
+ --
|
| |
+ 2.17.1
|
| |
+
|
| |
odubaj
commented 4 years ago
A buffer underwrite vulnerability in get_line()
(read.c) in fig2dev allows an attacker to write
prior to the beginning of the buffer via a
crafted .fig file.
RHBZ#1627975