Package: liblouis / 3.0.0-3+deb9u4

cve-2018-11683 Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
commit e7eee2b7926668360a0d8e2abee6c35a00ebce3c
Author: Christian Egli <christian.egli@sbs.ch>
Date:   Mon Jun 4 12:02:13 2018 +0200

    Fix yet another buffer overflow in the braille table parser
    
    Reported by Henri Salo
    
    Fixes #591

---
 liblouis/compileTranslationTable.c |    5 ++---
 tools/lou_translate.c              |   12 +++++-------
 2 files changed, 7 insertions(+), 10 deletions(-)

--- a/liblouis/compileTranslationTable.c
+++ b/liblouis/compileTranslationTable.c
@@ -1536,14 +1536,14 @@ parseChars (FileInfo * nested, CharsStri
 	    }
 	  utf32 = (utf32 << 6) + (token->chars[in++] & 0x3f);
 	}
-      if (CHARSIZE == 2 && utf32 > 0xffff)
-	utf32 = 0xffff;
-      result->chars[out++] = (widechar) utf32;
       if (out >= MAXSTRING)
 	{
 	  result->length = lastOutSize;
 	  return 1;
 	}
+      if (CHARSIZE == 2 && utf32 > 0xffff)
+	utf32 = 0xffff;
+      result->chars[out++] = (widechar) utf32;
     }
   result->length = out;
   return 1;
--- a/tools/lou_translate.c
+++ b/tools/lou_translate.c
@@ -33,8 +33,6 @@
 #include "unistr.h"
 #include "version-etc.h"
 
-#define BUFSIZE MAXSTRING - 4
-
 static int forward_flag = 0;
 static int backward_flag = 0;
 
@@ -57,11 +55,11 @@ const char version_etc_copyright[] =
 static void 
 translate_input (int forward_translation, char *table_name)
 {
-  char charbuf[BUFSIZE];
+  char charbuf[MAXSTRING];
   char *outputbuf;
   size_t outlen;
-  widechar inbuf[BUFSIZE];
-  widechar transbuf[BUFSIZE];
+  widechar inbuf[MAXSTRING];
+  widechar transbuf[MAXSTRING];
   int inlen;
   int translen;
   int k;
@@ -69,9 +67,9 @@ translate_input (int forward_translation
   int result;
   while (1)
     {
-      translen = BUFSIZE;
+      translen = MAXSTRING;
       k = 0;
-      while ((ch = fgetc(input)) != '\n' && ch != EOF && k < BUFSIZE)
+      while ((ch = fgetc(input)) != '\n' && ch != EOF && k < MAXSTRING - 1)
 	charbuf[k++] = ch;
       if (ch == EOF && k == 0)
 	break;