You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
transfig/SOURCES/0012-CVE-2020-21678-CVE-202...

135 lines
4.4 KiB

From 8e7bcd6952535163a919e1f6891b44521ba86a8d Mon Sep 17 00:00:00 2001
From: Ondrej Dubaj <odubaj@redhat.com>
Date: Fri, 3 Sep 2021 08:15:34 +0200
Subject: [PATCH] Reject ASCII NUL anywhere in the input
The input is read in line by line, stored in a buffer and processed further
with sscanf(). Embedded NUL characters ('\0') would already disturb sscanf(),
and nowhere does the code expect NUL characters. Therefore, detect NUL while
reading the input, and exit with an error message when NUL is found anywere.
Fixes ticket #80.
---
CHANGES | 4 ++++
fig2dev/read.c | 21 +++++++++++++++++++--
fig2dev/tests/data/text_w_ascii0.fig | 12 ++++++++++++
fig2dev/tests/read.at | 16 ++++++++++++++++
4 files changed, 51 insertions(+), 2 deletions(-)
create mode 100644 fig2dev/tests/data/text_w_ascii0.fig
diff --git a/CHANGES b/CHANGES
index 4a414fa..f1bbbc3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,10 @@ Patchlevel Xx (Xxx 20xx)
BUGS FIXED:
Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#.
+ o Fix ticket #81.
+ o Do not allow ASCII NUL anywhere in input. Fixes ticket #80.
+ o Use getline() to improve input scanning.
+ Fixes tickets #58, #59, #61, #62, #67, #78, #79.
o Correctly scan embedded pdfs for /MediaBox value.
o Convert polygons having too few points to polylines. Ticket #56.
o Reject huge arrow types causing integer overflow. Ticket #57.
diff --git a/fig2dev/read.c b/fig2dev/read.c
index aea9537..6e47f2d 100644
--- a/fig2dev/read.c
+++ b/fig2dev/read.c
@@ -200,8 +200,14 @@ read_objects(FILE *fp, F_compound *obj)
put_msg("Could not read input file.");
return -1;
}
- /* seek to the end of the first line */
- if (strchr(buf, '\n') == NULL) {
+
+ /* check for embedded '\0' */
+ if (strlen(buf) < sizeof buf - 1 && buf[strlen(buf) - 1] != '\n') {
+ put_msg("ASCII NUL ('\\0') character within the first line.");
+ exit(EXIT_FAILURE);
+ /* seek to the end of the first line
+ (the only place, where '\0's are tolerated) */
+ } else if (buf[strlen(buf) - 1] != '\n') {
int c;
do
c = fgetc(fp);
@@ -1399,6 +1405,15 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len,
return s;
}
+static void
+exit_on_ascii_NUL(const char *restrict line, size_t chars, int line_no)
+{
+ if (strlen(line) < (size_t)chars) {
+ put_msg("ASCII NUL ('\\0') in line %d.", line_no);
+ exit(EXIT_FAILURE);
+ }
+}
+
static char *
find_end(const char *str, int v30flag)
{
@@ -1470,6 +1485,7 @@ read_textobject(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
while ((chars = getline(line, line_len, fp)) != -1) {
++(*line_no);
+ exit_on_ascii_NUL(*line, chars, *line_no);
end = find_end(*line, v30_flag);
if (end) {
*end = '\0';
@@ -1641,6 +1657,7 @@ get_line(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
if (**line == '\n' || (**line == '\r' &&
chars == 2 && (*line)[1] == '\n'))
continue;
+ exit_on_ascii_NUL(*line, chars, *line_no);
/* remove newline and possibly a carriage return */
if ((*line)[chars-1] == '\n') {
chars -= (*line)[chars - 2] == '\r' ? 2 : 1;
diff --git a/fig2dev/tests/data/text_w_ascii0.fig b/fig2dev/tests/data/text_w_ascii0.fig
new file mode 100644
index 0000000..c0aa754
--- /dev/null
+++ b/fig2dev/tests/data/text_w_ascii0.fig
@@ -0,0 +1,12 @@
+#FIG 3.2
+Landscape
+Center
+Inches
+Letter
+100.00
+Single
+-2
+1200 2
+4 0 0 2 0 25 163 31 7 0 0 -1 1 0 2
+ 0& 4 120 5 y\ 0 0 0^^^^^J^^^^^<U+0080>ÿÿ^^^^^^^^^^^^^^^^^^^^^^45 E\0I1y\001
+#4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 An ascii zero '\\0' here ->...and some more text following, with a certain amount of minimum characters\001
diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at
index 9b34bfb..60982b0 100644
--- a/fig2dev/tests/read.at
+++ b/fig2dev/tests/read.at
@@ -406,6 +406,22 @@ EOF
])
AT_CLEANUP
+AT_SETUP([allow tex font -1, ticket #81])
+AT_KEYWORDS([pict2e tikz])
+AT_DATA([text.fig], [FIG_FILE_TOP
+4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001
+])
+AT_CHECK([fig2dev -L pict2e text.fig
+], 0, ignore)
+AT_CHECK([fig2dev -L tikz text.fig
+], 0, ignore)
+AT_CLEANUP
+
+AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80])
+AT_KEYWORDS([read.c svg])
+AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore)
+AT_CLEANUP
+
AT_BANNER([Dynamically allocate picture file name.])
AT_SETUP([prepend fig file path to picture file name])
--
2.31.1