Package: liblouis / 3.0.0-3+deb9u4

CVE-2017-13739-and-2017-13740-and-2017-13742.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
From d8cfdf1ab64a4c9c6685efe45bc735f68dac618c Mon Sep 17 00:00:00 2001
From: Mike Gorse <mgorse@suse.com>
Date: Wed, 30 Aug 2017 12:53:02 -0500
Subject: [PATCH] resolveSubtable: Fix buffer overflow parsing a malformed
 table

The subtable's name can theoretically be up to MAXSTRING characters long.
The base name is then copied into a buffer, and the subtable's name is
appended, so we should allocate more than MAXSTRING bytes for the buffer.

Fixes CVE-2017-13739, CVE-2017-13740, and CVE-2017-13742.
---
 liblouis/compileTranslationTable.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: liblouis-3.0.0/liblouis/compileTranslationTable.c
===================================================================
--- liblouis-3.0.0.orig/liblouis/compileTranslationTable.c
+++ liblouis-3.0.0/liblouis/compileTranslationTable.c
@@ -4899,7 +4899,7 @@ resolveSubtable (const char *table, cons
 
   if (table == NULL || table[0] == '\0')
     return NULL;
-  tableFile = (char *) malloc (MAXSTRING * sizeof(char));
+  tableFile = (char *) malloc (MAXSTRING * sizeof(char) * 2);
   
   //
   // First try to resolve against base