Brad Bishop | 64c979e | 2019-11-04 13:55:29 -0500 | [diff] [blame^] | 1 | From 064b77f173337aa790f1cec0d741bfbc61a33d31 Mon Sep 17 00:00:00 2001 |
| 2 | From: Trevor Gamblin <trevor.gamblin@windriver.com> |
| 3 | Date: Fri, 18 Oct 2019 09:57:43 -0400 |
| 4 | Subject: [PATCH] ncurses: selective backport of 20191012 patch |
| 5 | |
| 6 | Upstream-Status: Backport [https://salsa.debian.org/debian/ncurses/commit/243908b1e3d81] |
| 7 | |
| 8 | Contents of the upstream patch that are not applied to comp_hash.c, |
| 9 | parse_entry.c, or dump_entry.c have been omitted. |
| 10 | |
| 11 | CVE: CVE-2019-17594 |
| 12 | CVE: CVE-2019-17595 |
| 13 | |
| 14 | Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> |
| 15 | |
| 16 | --- |
| 17 | ncurses/tinfo/comp_hash.c | 14 ++++++++++---- |
| 18 | ncurses/tinfo/parse_entry.c | 32 ++++++++++++++++---------------- |
| 19 | progs/dump_entry.c | 7 ++++--- |
| 20 | 3 files changed, 30 insertions(+), 23 deletions(-) |
| 21 | |
| 22 | diff --git a/ncurses/tinfo/comp_hash.c b/ncurses/tinfo/comp_hash.c |
| 23 | index 21f165ca..a62d38f9 100644 |
| 24 | --- a/ncurses/tinfo/comp_hash.c |
| 25 | +++ b/ncurses/tinfo/comp_hash.c |
| 26 | @@ -44,7 +44,7 @@ |
| 27 | #include <tic.h> |
| 28 | #include <hashsize.h> |
| 29 | |
| 30 | -MODULE_ID("$Id: comp_hash.c,v 1.49 2019/03/10 00:06:48 tom Exp $") |
| 31 | +MODULE_ID("$Id: comp_hash.c,v 1.51 2019/10/12 16:32:13 tom Exp $") |
| 32 | |
| 33 | /* |
| 34 | * Finds the entry for the given string in the hash table if present. |
| 35 | @@ -63,7 +63,9 @@ _nc_find_entry(const char *string, |
| 36 | |
| 37 | hashvalue = data->hash_of(string); |
| 38 | |
| 39 | - if (data->table_data[hashvalue] >= 0) { |
| 40 | + if (hashvalue >= 0 |
| 41 | + && (unsigned) hashvalue < data->table_size |
| 42 | + && data->table_data[hashvalue] >= 0) { |
| 43 | |
| 44 | real_table = _nc_get_table(termcap); |
| 45 | ptr = real_table + data->table_data[hashvalue]; |
| 46 | @@ -96,7 +98,9 @@ _nc_find_type_entry(const char *string, |
| 47 | const HashData *data = _nc_get_hash_info(termcap); |
| 48 | int hashvalue = data->hash_of(string); |
| 49 | |
| 50 | - if (data->table_data[hashvalue] >= 0) { |
| 51 | + if (hashvalue >= 0 |
| 52 | + && (unsigned) hashvalue < data->table_size |
| 53 | + && data->table_data[hashvalue] >= 0) { |
| 54 | const struct name_table_entry *const table = _nc_get_table(termcap); |
| 55 | |
| 56 | ptr = table + data->table_data[hashvalue]; |
| 57 | @@ -124,7 +128,9 @@ _nc_find_user_entry(const char *string) |
| 58 | |
| 59 | hashvalue = data->hash_of(string); |
| 60 | |
| 61 | - if (data->table_data[hashvalue] >= 0) { |
| 62 | + if (hashvalue >= 0 |
| 63 | + && (unsigned) hashvalue < data->table_size |
| 64 | + && data->table_data[hashvalue] >= 0) { |
| 65 | |
| 66 | real_table = _nc_get_userdefs_table(); |
| 67 | ptr = real_table + data->table_data[hashvalue]; |
| 68 | diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c |
| 69 | index f8cca8b5..064376c5 100644 |
| 70 | --- a/ncurses/tinfo/parse_entry.c |
| 71 | +++ b/ncurses/tinfo/parse_entry.c |
| 72 | @@ -47,7 +47,7 @@ |
| 73 | #include <ctype.h> |
| 74 | #include <tic.h> |
| 75 | |
| 76 | -MODULE_ID("$Id: parse_entry.c,v 1.97 2019/08/03 23:10:38 tom Exp $") |
| 77 | +MODULE_ID("$Id: parse_entry.c,v 1.98 2019/10/12 00:50:31 tom Exp $") |
| 78 | |
| 79 | #ifdef LINT |
| 80 | static short const parametrized[] = |
| 81 | @@ -654,12 +654,12 @@ _nc_capcmp(const char *s, const char *t) |
| 82 | } |
| 83 | |
| 84 | static void |
| 85 | -append_acs0(string_desc * dst, int code, int src) |
| 86 | +append_acs0(string_desc * dst, int code, char *src, size_t off) |
| 87 | { |
| 88 | - if (src != 0) { |
| 89 | + if (src != 0 && off < strlen(src)) { |
| 90 | char temp[3]; |
| 91 | temp[0] = (char) code; |
| 92 | - temp[1] = (char) src; |
| 93 | + temp[1] = src[off]; |
| 94 | temp[2] = 0; |
| 95 | _nc_safe_strcat(dst, temp); |
| 96 | } |
| 97 | @@ -669,7 +669,7 @@ static void |
| 98 | append_acs(string_desc * dst, int code, char *src) |
| 99 | { |
| 100 | if (VALID_STRING(src) && strlen(src) == 1) { |
| 101 | - append_acs0(dst, code, *src); |
| 102 | + append_acs0(dst, code, src, 0); |
| 103 | } |
| 104 | } |
| 105 | |
| 106 | @@ -1038,17 +1038,17 @@ postprocess_terminfo(TERMTYPE2 *tp) |
| 107 | _nc_str_init(&result, buf2, sizeof(buf2)); |
| 108 | _nc_safe_strcat(&result, acs_chars); |
| 109 | |
| 110 | - append_acs0(&result, 'l', box_chars_1[0]); /* ACS_ULCORNER */ |
| 111 | - append_acs0(&result, 'q', box_chars_1[1]); /* ACS_HLINE */ |
| 112 | - append_acs0(&result, 'k', box_chars_1[2]); /* ACS_URCORNER */ |
| 113 | - append_acs0(&result, 'x', box_chars_1[3]); /* ACS_VLINE */ |
| 114 | - append_acs0(&result, 'j', box_chars_1[4]); /* ACS_LRCORNER */ |
| 115 | - append_acs0(&result, 'm', box_chars_1[5]); /* ACS_LLCORNER */ |
| 116 | - append_acs0(&result, 'w', box_chars_1[6]); /* ACS_TTEE */ |
| 117 | - append_acs0(&result, 'u', box_chars_1[7]); /* ACS_RTEE */ |
| 118 | - append_acs0(&result, 'v', box_chars_1[8]); /* ACS_BTEE */ |
| 119 | - append_acs0(&result, 't', box_chars_1[9]); /* ACS_LTEE */ |
| 120 | - append_acs0(&result, 'n', box_chars_1[10]); /* ACS_PLUS */ |
| 121 | + append_acs0(&result, 'l', box_chars_1, 0); /* ACS_ULCORNER */ |
| 122 | + append_acs0(&result, 'q', box_chars_1, 1); /* ACS_HLINE */ |
| 123 | + append_acs0(&result, 'k', box_chars_1, 2); /* ACS_URCORNER */ |
| 124 | + append_acs0(&result, 'x', box_chars_1, 3); /* ACS_VLINE */ |
| 125 | + append_acs0(&result, 'j', box_chars_1, 4); /* ACS_LRCORNER */ |
| 126 | + append_acs0(&result, 'm', box_chars_1, 5); /* ACS_LLCORNER */ |
| 127 | + append_acs0(&result, 'w', box_chars_1, 6); /* ACS_TTEE */ |
| 128 | + append_acs0(&result, 'u', box_chars_1, 7); /* ACS_RTEE */ |
| 129 | + append_acs0(&result, 'v', box_chars_1, 8); /* ACS_BTEE */ |
| 130 | + append_acs0(&result, 't', box_chars_1, 9); /* ACS_LTEE */ |
| 131 | + append_acs0(&result, 'n', box_chars_1, 10); /* ACS_PLUS */ |
| 132 | |
| 133 | if (buf2[0]) { |
| 134 | acs_chars = _nc_save_str(buf2); |
| 135 | diff --git a/progs/dump_entry.c b/progs/dump_entry.c |
| 136 | index d0e420ec..8a47084a 100644 |
| 137 | --- a/progs/dump_entry.c |
| 138 | +++ b/progs/dump_entry.c |
| 139 | @@ -39,7 +39,7 @@ |
| 140 | #include "termsort.c" /* this C file is generated */ |
| 141 | #include <parametrized.h> /* so is this */ |
| 142 | |
| 143 | -MODULE_ID("$Id: dump_entry.c,v 1.173 2019/05/11 21:02:24 tom Exp $") |
| 144 | +MODULE_ID("$Id: dump_entry.c,v 1.175 2019/10/12 15:59:07 tom Exp $") |
| 145 | |
| 146 | #define DISCARD(string) string = ABSENT_STRING |
| 147 | #define PRINTF (void) printf |
| 148 | @@ -1136,7 +1136,8 @@ fmt_entry(TERMTYPE2 *tterm, |
| 149 | *d++ = '\\'; |
| 150 | *d = ':'; |
| 151 | } else if (*d == '\\') { |
| 152 | - *++d = *s++; |
| 153 | + if ((*++d = *s++) == '\0') |
| 154 | + break; |
| 155 | } |
| 156 | d++; |
| 157 | *d = '\0'; |
| 158 | @@ -1396,7 +1397,7 @@ one_one_mapping(const char *mapping) |
| 159 | |
| 160 | if (VALID_STRING(mapping)) { |
| 161 | int n = 0; |
| 162 | - while (mapping[n] != '\0') { |
| 163 | + while (mapping[n] != '\0' && mapping[n + 1] != '\0') { |
| 164 | if (isLine(mapping[n]) && |
| 165 | mapping[n] != mapping[n + 1]) { |
| 166 | result = FALSE; |
| 167 | -- |
| 168 | 2.17.1 |
| 169 | |