Package: liblouis / 3.0.0-3+deb9u4

cve-2018-11577 Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
commit 7e135b9313ad06218dfcf9ed63070edede7745a1
Author: Christian Egli <christian.egli@sbs.ch>
Date:   Thu May 31 12:08:56 2018 +0200

    Fix yet another buffer overflow in the braille table parser
    
    Reported by Edward-L
    
    Fixes #582

---
 liblouis/compileTranslationTable.c |   16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

--- a/liblouis/compileTranslationTable.c
+++ b/liblouis/compileTranslationTable.c
@@ -2843,6 +2843,10 @@ compilePassOpcode (FileInfo * nested, Tr
       passLinepos = 0;
       while (passLinepos <= endTest)
 	{
+	  if (passIC >= MAXSTRING) {
+	    compileError(passNested, "Test part in multipass operand too long");
+	    return 0;
+	  }
 	  switch ((passSubOp = passLine.chars[passLinepos]))
 	    {
 	    case pass_lookback:
@@ -3038,6 +3042,10 @@ compilePassOpcode (FileInfo * nested, Tr
       while (passLinepos < passLine.length &&
 	     passLine.chars[passLinepos] > 32)
 	{
+	  if (passIC >= MAXSTRING) {
+	    compileError(passNested, "Action part in multipass operand too long");
+	    return 0;
+	  }
 	  switch ((passSubOp = passLine.chars[passLinepos]))
 	    {
 	    case pass_string:
@@ -3065,8 +3073,14 @@ compilePassOpcode (FileInfo * nested, Tr
 	      if (passHoldString.length == 0)
 		return 0;
 	      passInstructions[passIC++] = passHoldString.length;
-	      for (kk = 0; kk < passHoldString.length; kk++)
+	      for (kk = 0; kk < passHoldString.length; kk++) {
+		if (passIC >= MAXSTRING) {
+		  compileError(passNested,
+		    "@ operand in action part of multipass operand too long");
+		  return 0;
+		}
 		passInstructions[passIC++] = passHoldString.chars[kk];
+	      }
 	      break;
 	    case pass_variable:
 	      passLinepos++;