File opencc-CVE-2018-16982.patch of Package opencc.34409

Overview Repositories Revisions Requests Users Attributes Meta

File opencc-CVE-2018-16982.patch of Package opencc.34409

commit 4a4f9e58e505fca93605f22363c133df66a91a5e
Author: Peng Wu <pwu@redhat.com>
Date:   Mon Mar 1 11:09:36 2021 +0800

Check offset bounds in BinaryDict::NewFromFile method

diff -Nura OpenCC-ver.1.0.5/src/BinaryDict.cpp OpenCC-ver.1.0.5_new/src/BinaryDict.cpp
--- OpenCC-ver.1.0.5/src/BinaryDict.cpp	2017-02-07 06:18:02.000000000 +0800
+++ OpenCC-ver.1.0.5_new/src/BinaryDict.cpp	2024-06-15 23:13:30.874087188 +0800
@@ -63,6 +63,12 @@
 }
 
 BinaryDictPtr BinaryDict::NewFromFile(FILE* fp) {
+  size_t offsetBound, savedOffset;
+  savedOffset = ftell(fp);
+  fseek(fp, 0L, SEEK_END);
+  offsetBound = ftell(fp) - savedOffset;
+  fseek(fp, savedOffset, SEEK_SET);
+
   BinaryDictPtr dict(new BinaryDict(LexiconPtr(new Lexicon)));
 
   // Number of items
@@ -109,7 +115,7 @@
     // Key offset
     size_t keyOffset;
     unitsRead = fread(&keyOffset, sizeof(size_t), 1, fp);
-    if (unitsRead != 1) {
+    if (unitsRead != 1 || keyOffset >= offsetBound) {
       throw InvalidFormat("Invalid OpenCC binary dictionary (keyOffset)");
     }
     const char* key = dict->keyBuffer.c_str() + keyOffset;
@@ -118,7 +124,7 @@
     for (size_t j = 0; j < numValues; j++) {
       size_t valueOffset;
       unitsRead = fread(&valueOffset, sizeof(size_t), 1, fp);
-      if (unitsRead != 1) {
+      if (unitsRead != 1 || valueOffset >= offsetBound) {
         throw InvalidFormat("Invalid OpenCC binary dictionary (valueOffset)");
       }
       const char* value = dict->valueBuffer.c_str() + valueOffset;

Places

File opencc-CVE-2018-16982.patch of Package opencc.34409

Places