1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
From bcf02d3242f1c7d57224a95f7903fcf4b5e7695d Mon Sep 17 00:00:00 2001
From: Thomas E. Dickey <dickey@invisible-island.net>
Date: Fri, 16 Jun 2023 02:54:29 +0530
Subject: [PATCH] Fix CVE-2023-45918
CVE: CVE-2023-45918
Upstream-Status: Backport [https://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=bcf02d3242f1c7d57224a95f7903fcf4b5e7695d]
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
ncurses/tinfo/comp_error.c | 15 ++++++---
ncurses/tinfo/read_entry.c | 65 ++++++++++++++++++++++++++------------
2 files changed, 56 insertions(+), 24 deletions(-)
diff --git a/ncurses/tinfo/comp_error.c b/ncurses/tinfo/comp_error.c
index 48f48784..ee518e28 100644
--- a/ncurses/tinfo/comp_error.c
+++ b/ncurses/tinfo/comp_error.c
@@ -60,8 +60,15 @@ _nc_get_source(void)
NCURSES_EXPORT(void)
_nc_set_source(const char *const name)
{
- FreeIfNeeded(SourceName);
- SourceName = strdup(name);
+ if (name == NULL) {
+ free(SourceName);
+ SourceName = NULL;
+ } else if (SourceName == NULL) {
+ SourceName = strdup(name);
+ } else if (strcmp(name, SourceName)) {
+ free(SourceName);
+ SourceName = strdup(name);
+ }
}
NCURSES_EXPORT(void)
@@ -95,9 +102,9 @@ static NCURSES_INLINE void
where_is_problem(void)
{
fprintf(stderr, "\"%s\"", SourceName ? SourceName : "?");
- if (_nc_curr_line >= 0)
+ if (_nc_curr_line > 0)
fprintf(stderr, ", line %d", _nc_curr_line);
- if (_nc_curr_col >= 0)
+ if (_nc_curr_col > 0)
fprintf(stderr, ", col %d", _nc_curr_col);
if (TermType != 0 && TermType[0] != '\0')
fprintf(stderr, ", terminal '%s'", TermType);
diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
index 341337d2..b0c3ad26 100644
--- a/ncurses/tinfo/read_entry.c
+++ b/ncurses/tinfo/read_entry.c
@@ -138,12 +138,13 @@ convert_16bits(char *buf, NCURSES_INT2 *Numbers, int count)
}
#endif
-static void
-convert_strings(char *buf, char **Strings, int count, int size, char *table)
+static bool
+convert_strings(char *buf, char **Strings, int count, int size,
+ char *table, bool always)
{
int i;
char *p;
- bool corrupt = FALSE;
+ bool success = TRUE;
for (i = 0; i < count; i++) {
if (IS_NEG1(buf + 2 * i)) {
@@ -159,13 +160,10 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
_nc_visbuf(Strings[i])));
} else {
- if (!corrupt) {
- corrupt = TRUE;
- TR(TRACE_DATABASE,
- ("ignore out-of-range index %d to Strings[]", nn));
- _nc_warning("corrupt data found in convert_strings");
- }
- Strings[i] = ABSENT_STRING;
+ TR(TRACE_DATABASE,
+ ("found out-of-range index %d to Strings[%d]", nn, i));
+ success = FALSE;
+ break;
}
}
@@ -175,10 +173,25 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
if (*p == '\0')
break;
/* if there is no NUL, ignore the string */
- if (p >= table + size)
+ if (p >= table + size) {
Strings[i] = ABSENT_STRING;
+ } else if (p == Strings[i] && always) {
+ TR(TRACE_DATABASE,
+ ("found empty but required Strings[%d]", i));
+ success = FALSE;
+ break;
+ }
+ } else if (always) { /* names are always needed */
+ TR(TRACE_DATABASE,
+ ("found invalid but required Strings[%d]", i));
+ success = FALSE;
+ break;
}
}
+ if (!success) {
+ _nc_warning("corrupt data found in convert_strings");
+ }
+ return success;
}
static int
@@ -382,7 +395,10 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit)
if (Read(string_table, (unsigned) str_size) != str_size) {
returnDB(TGETENT_NO);
}
- convert_strings(buf, ptr->Strings, str_count, str_size, string_table);
+ if (!convert_strings(buf, ptr->Strings, str_count, str_size,
+ string_table, FALSE)) {
+ returnDB(TGETENT_NO);
+ }
}
#if NCURSES_XNAMES
@@ -483,8 +499,10 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit)
("Before computing extended-string capabilities "
"str_count=%d, ext_str_count=%d",
str_count, ext_str_count));
- convert_strings(buf, ptr->Strings + str_count, ext_str_count,
- ext_str_limit, ptr->ext_str_table);
+ if (!convert_strings(buf, ptr->Strings + str_count, ext_str_count,
+ ext_str_limit, ptr->ext_str_table, FALSE)) {
+ returnDB(TGETENT_NO);
+ }
for (i = ext_str_count - 1; i >= 0; i--) {
TR(TRACE_DATABASE, ("MOVE from [%d:%d] %s",
i, i + str_count,
@@ -516,10 +534,13 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit)
TR(TRACE_DATABASE,
("ext_NAMES starting @%d in extended_strings, first = %s",
base, _nc_visbuf(ptr->ext_str_table + base)));
- convert_strings(buf + (2 * ext_str_count),
- ptr->ext_Names,
- (int) need,
- ext_str_limit, ptr->ext_str_table + base);
+ if (!convert_strings(buf + (2 * ext_str_count),
+ ptr->ext_Names,
+ (int) need,
+ ext_str_limit, ptr->ext_str_table + base,
+ TRUE)) {
+ returnDB(TGETENT_NO);
+ }
}
TR(TRACE_DATABASE,
@@ -572,13 +593,17 @@ _nc_read_file_entry(const char *const filename, TERMTYPE2 *ptr)
int limit;
char buffer[MAX_ENTRY_SIZE + 1];
- if ((limit = (int) fread(buffer, sizeof(char), sizeof(buffer), fp))
- > 0) {
+ limit = (int) fread(buffer, sizeof(char), sizeof(buffer), fp);
+ if (limit > 0) {
+ const char *old_source = _nc_get_source();
TR(TRACE_DATABASE, ("read terminfo %s", filename));
+ if (old_source == NULL)
+ _nc_set_source(filename);
if ((code = _nc_read_termtype(ptr, buffer, limit)) == TGETENT_NO) {
_nc_free_termtype2(ptr);
}
+ _nc_set_source(old_source);
} else {
code = TGETENT_NO;
}
--
2.40.0
|
