From 064b77f173337aa790f1cec0d741bfbc61a33d31 Mon Sep 17 00:00:00 2001 From: Trevor Gamblin Date: Fri, 18 Oct 2019 09:57:43 -0400 Subject: [PATCH] ncurses: selective backport of 20191012 patch Upstream-Status: Backport [https://salsa.debian.org/debian/ncurses/commit/243908b1e3d81] Contents of the upstream patch that are not applied to comp_hash.c, parse_entry.c, or dump_entry.c have been omitted. CVE: CVE-2019-17594 CVE: CVE-2019-17595 Signed-off-by: Trevor Gamblin --- ncurses/tinfo/comp_hash.c | 14 ++++++++++---- ncurses/tinfo/parse_entry.c | 32 ++++++++++++++++---------------- progs/dump_entry.c | 7 ++++--- 3 files changed, 30 insertions(+), 23 deletions(-) diff --git a/ncurses/tinfo/comp_hash.c b/ncurses/tinfo/comp_hash.c index 21f165ca..a62d38f9 100644 --- a/ncurses/tinfo/comp_hash.c +++ b/ncurses/tinfo/comp_hash.c @@ -44,7 +44,7 @@ #include #include -MODULE_ID("$Id: comp_hash.c,v 1.49 2019/03/10 00:06:48 tom Exp $") +MODULE_ID("$Id: comp_hash.c,v 1.51 2019/10/12 16:32:13 tom Exp $") /* * Finds the entry for the given string in the hash table if present. @@ -63,7 +63,9 @@ _nc_find_entry(const char *string, hashvalue = data->hash_of(string); - if (data->table_data[hashvalue] >= 0) { + if (hashvalue >= 0 + && (unsigned) hashvalue < data->table_size + && data->table_data[hashvalue] >= 0) { real_table = _nc_get_table(termcap); ptr = real_table + data->table_data[hashvalue]; @@ -96,7 +98,9 @@ _nc_find_type_entry(const char *string, const HashData *data = _nc_get_hash_info(termcap); int hashvalue = data->hash_of(string); - if (data->table_data[hashvalue] >= 0) { + if (hashvalue >= 0 + && (unsigned) hashvalue < data->table_size + && data->table_data[hashvalue] >= 0) { const struct name_table_entry *const table = _nc_get_table(termcap); ptr = table + data->table_data[hashvalue]; @@ -124,7 +128,9 @@ _nc_find_user_entry(const char *string) hashvalue = data->hash_of(string); - if (data->table_data[hashvalue] >= 0) { + if (hashvalue >= 0 + && (unsigned) hashvalue < data->table_size + && data->table_data[hashvalue] >= 0) { real_table = _nc_get_userdefs_table(); ptr = real_table + data->table_data[hashvalue]; diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c index f8cca8b5..064376c5 100644 --- a/ncurses/tinfo/parse_entry.c +++ b/ncurses/tinfo/parse_entry.c @@ -47,7 +47,7 @@ #include #include -MODULE_ID("$Id: parse_entry.c,v 1.97 2019/08/03 23:10:38 tom Exp $") +MODULE_ID("$Id: parse_entry.c,v 1.98 2019/10/12 00:50:31 tom Exp $") #ifdef LINT static short const parametrized[] = @@ -654,12 +654,12 @@ _nc_capcmp(const char *s, const char *t) } static void -append_acs0(string_desc * dst, int code, int src) +append_acs0(string_desc * dst, int code, char *src, size_t off) { - if (src != 0) { + if (src != 0 && off < strlen(src)) { char temp[3]; temp[0] = (char) code; - temp[1] = (char) src; + temp[1] = src[off]; temp[2] = 0; _nc_safe_strcat(dst, temp); } @@ -669,7 +669,7 @@ static void append_acs(string_desc * dst, int code, char *src) { if (VALID_STRING(src) && strlen(src) == 1) { - append_acs0(dst, code, *src); + append_acs0(dst, code, src, 0); } } @@ -1038,17 +1038,17 @@ postprocess_terminfo(TERMTYPE2 *tp) _nc_str_init(&result, buf2, sizeof(buf2)); _nc_safe_strcat(&result, acs_chars); - append_acs0(&result, 'l', box_chars_1[0]); /* ACS_ULCORNER */ - append_acs0(&result, 'q', box_chars_1[1]); /* ACS_HLINE */ - append_acs0(&result, 'k', box_chars_1[2]); /* ACS_URCORNER */ - append_acs0(&result, 'x', box_chars_1[3]); /* ACS_VLINE */ - append_acs0(&result, 'j', box_chars_1[4]); /* ACS_LRCORNER */ - append_acs0(&result, 'm', box_chars_1[5]); /* ACS_LLCORNER */ - append_acs0(&result, 'w', box_chars_1[6]); /* ACS_TTEE */ - append_acs0(&result, 'u', box_chars_1[7]); /* ACS_RTEE */ - append_acs0(&result, 'v', box_chars_1[8]); /* ACS_BTEE */ - append_acs0(&result, 't', box_chars_1[9]); /* ACS_LTEE */ - append_acs0(&result, 'n', box_chars_1[10]); /* ACS_PLUS */ + append_acs0(&result, 'l', box_chars_1, 0); /* ACS_ULCORNER */ + append_acs0(&result, 'q', box_chars_1, 1); /* ACS_HLINE */ + append_acs0(&result, 'k', box_chars_1, 2); /* ACS_URCORNER */ + append_acs0(&result, 'x', box_chars_1, 3); /* ACS_VLINE */ + append_acs0(&result, 'j', box_chars_1, 4); /* ACS_LRCORNER */ + append_acs0(&result, 'm', box_chars_1, 5); /* ACS_LLCORNER */ + append_acs0(&result, 'w', box_chars_1, 6); /* ACS_TTEE */ + append_acs0(&result, 'u', box_chars_1, 7); /* ACS_RTEE */ + append_acs0(&result, 'v', box_chars_1, 8); /* ACS_BTEE */ + append_acs0(&result, 't', box_chars_1, 9); /* ACS_LTEE */ + append_acs0(&result, 'n', box_chars_1, 10); /* ACS_PLUS */ if (buf2[0]) { acs_chars = _nc_save_str(buf2); diff --git a/progs/dump_entry.c b/progs/dump_entry.c index d0e420ec..8a47084a 100644 --- a/progs/dump_entry.c +++ b/progs/dump_entry.c @@ -39,7 +39,7 @@ #include "termsort.c" /* this C file is generated */ #include /* so is this */ -MODULE_ID("$Id: dump_entry.c,v 1.173 2019/05/11 21:02:24 tom Exp $") +MODULE_ID("$Id: dump_entry.c,v 1.175 2019/10/12 15:59:07 tom Exp $") #define DISCARD(string) string = ABSENT_STRING #define PRINTF (void) printf @@ -1136,7 +1136,8 @@ fmt_entry(TERMTYPE2 *tterm, *d++ = '\\'; *d = ':'; } else if (*d == '\\') { - *++d = *s++; + if ((*++d = *s++) == '\0') + break; } d++; *d = '\0'; @@ -1396,7 +1397,7 @@ one_one_mapping(const char *mapping) if (VALID_STRING(mapping)) { int n = 0; - while (mapping[n] != '\0') { + while (mapping[n] != '\0' && mapping[n + 1] != '\0') { if (isLine(mapping[n]) && mapping[n] != mapping[n + 1]) { result = FALSE; -- 2.17.1