File 0002-Fix-m17n-backspace-handling-causes-out-of-... of Package w3m

Overview Repositories Revisions Requests Users Attributes Meta

File 0002-Fix-m17n-backspace-handling-causes-out-of-bounds-wri.patch of Package w3m

From b4d0aba9da50ee62c43c1ac7bd1b70c4c5909438 Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Tue, 20 Dec 2022 21:16:48 +0900
Subject: [PATCH 2/2] Fix m17n backspace handling causes out-of-bounds write in
 checkType

[CVE-2022-38223]
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019599
Bug-Debian: https://github.com/tats/w3m/issues/242

(cherry picked from commit 419ca82d57c72242817b55e2eaa4cdbf6916e7fa)
---
 etc.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/etc.c b/etc.c
index dea56b5..e7b4c53 100644
--- a/etc.c
+++ b/etc.c
@@ -256,6 +256,9 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
 #ifdef USE_M17N
     int i;
     int plen = 0, clen;
+    int *plens = NULL;
+    static int *plens_buffer = NULL;
+    static int plens_size = 0;
 #endif
 
     if (prop_size < s->length) {
@@ -263,6 +266,13 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
 	prop_buffer = New_Reuse(Lineprop, prop_buffer, prop_size);
     }
     prop = prop_buffer;
+#ifdef USE_M17N
+    if (plens_size < s->length) {
+	plens_size = (s->length > LINELEN) ? s->length : LINELEN;
+	plens_buffer = New_Reuse(int, plens_buffer, plens_size);
+    }
+    plens = plens_buffer;
+#endif
 
     if (ShowEffect) {
 	bs = memchr(str, '\b', s->length);
@@ -297,14 +307,21 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
 #ifdef USE_ANSI_COLOR
 		if (color)
 		    *(color++) = 0;
+#endif
+#ifdef USE_M17N
+		*(plens++) = plen = 1;
 #endif
 	    }
 	    Strcat_charp_n(s, sp, (int)(str - sp));
 	}
     }
     if (!do_copy) {
-	for (; str < endp && IS_ASCII(*str); str++)
+	for (; str < endp && IS_ASCII(*str); str++) {
 	    *(prop++) = PE_NORMAL | (IS_CNTRL(*str) ? PC_CTRL : PC_ASCII);
+#ifdef USE_M17N
+	    *(plens++) = plen = 1;
+#endif
+	}
     }
 
     while (str < endp) {
@@ -366,6 +383,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
 			else {
 			    Strshrink(s, plen);
 			    prop -= plen;
+			    plen = *(--plens);
 			    str += 2;
 			}
 		    }
@@ -387,6 +405,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
 			else {
 			    Strshrink(s, plen);
 			    prop -= plen;
+			    plen = *(--plens);
 			    str++;
 			}
 #else
@@ -441,6 +460,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
 	*(prop++) = mode;
 #ifdef USE_M17N
 	plen = get_mclen(str);
+	*(plens++) = plen;
 	if (plen > 1) {
 	    mode = (mode & ~PC_WCHAR1) | PC_WCHAR2;
 	    for (i = 1; i < plen; i++) {
-- 
2.39.0

Places

File 0002-Fix-m17n-backspace-handling-causes-out-of-bounds-wri.patch of Package w3m

Places