File: array-index-out-of-bounds-with-bad-utf-8.patch

package info (click to toggle)
libmatio 1.5.28-2
links: PTS, VCS
area: main
in suites: forky, sid, trixie
size: 34,048 kB
sloc: sh: 117,166; ansic: 21,993; makefile: 607; python: 159
file content (71 lines) | stat: -rw-r--r-- 3,662 bytes
Description: Fix array index out of bounds when printing bad UTF-8 character data
 This fixes a security issue with identifier CVE-2025-2337.
Origin: upstream, https://github.com/tbeu/matio/commit/67000893b627205c42abc125d7917b6b2d18f84f
Bug: https://github.com/tbeu/matio/issues/267
Bug-Debian: https://bugs.debian.org/1100992
Last-Update: 2025-04-29
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/src/mat.c
+++ b/src/mat.c
@@ -2367,6 +2367,7 @@ Mat_VarPrint(const matvar_t *matvar, int
                     case MAT_T_UTF8: {
                         const mat_uint8_t *data = (const mat_uint8_t *)matvar->data;
                         size_t k = 0;
+                        int err = 0;
                         size_t *idxOffset;
                         if ( matvar->nbytes == 0 ) {
                             break;
@@ -2376,6 +2377,9 @@ Mat_VarPrint(const matvar_t *matvar, int
                             break;
                         }
                         for ( i = 0; i < matvar->dims[0]; i++ ) {
+                            if ( err ) {
+                                break;
+                            }
                             for ( j = 0; j < matvar->dims[1]; j++ ) {
                                 mat_uint8_t c;
                                 if ( k >= matvar->nbytes ) {
@@ -2384,16 +2388,36 @@ Mat_VarPrint(const matvar_t *matvar, int
                                 idxOffset[i * matvar->dims[1] + j] = k;
                                 c = data[k];
                                 if ( c <= 0x7F ) {
-                                } else if ( (c & 0xE0) == 0xC0 && k + 1 < matvar->nbytes ) {
-                                    k = k + 1;
-                                } else if ( (c & 0xF0) == 0xE0 && k + 2 < matvar->nbytes ) {
-                                    k = k + 2;
-                                } else if ( (c & 0xF8) == 0xF0 && k + 3 < matvar->nbytes ) {
-                                    k = k + 3;
+                                } else if ( (c & 0xE0) == 0xC0 ) {
+                                    if ( k + 1 < matvar->nbytes ) {
+                                        k += 1;
+                                    } else {
+                                        err = 1;
+                                        break;
+                                    }
+                                } else if ( (c & 0xF0) == 0xE0 ) {
+                                    if ( k + 2 < matvar->nbytes ) {
+                                        k += 2;
+                                    } else {
+                                        err = 1;
+                                        break;
+                                    }
+                                } else if ( (c & 0xF8) == 0xF0 ) {
+                                    if ( k + 3 < matvar->nbytes ) {
+                                        k += 3;
+                                    } else {
+                                        err = 1;
+                                        break;
+                                    }
                                 }
                                 ++k;
                             }
                         }
+                        if ( err ) {
+                            free(idxOffset);
+                            Mat_Message("UTF-8 character data error at index %zu", k);
+                            break;
+                        }
                         for ( i = 0; i < matvar->dims[0]; i++ ) {
                             for ( j = 0; j < matvar->dims[1]; j++ ) {
                                 mat_uint8_t c;