Fix CVE-2016-10091 (stack-based buffer overflows in cmd_* functions): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10091 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705 http://seclists.org/oss-sec/2016/q4/787 Patch adapted from Debian: https://anonscm.debian.org/cgit/collab-maint/unrtf.git/commit/?h=jessie&id=7500a48fb0fbad3ab963fb17560b2f90a8a485c8 The Debian patch adapts this upstream commit so that it can be applied to the 0.21.9 release tarball: http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406 From 7dd568ed8a6a5acb6c04f2b40f457d63a00435f3 Mon Sep 17 00:00:00 2001 From: Willi Mann Date: Sat, 31 Dec 2016 20:31:38 +0100 Subject: [PATCH] Add patch from upstream to fix CVE-2016-10091 (buffer overflow in various cmd_ functions) diff --git a/src/attr.c b/src/attr.c index 02b5c81..e2951ea 100644 --- a/src/attr.c +++ b/src/attr.c @@ -746,7 +746,7 @@ char * assemble_string(char *string, int nr) { - char *s, tmp[12];/* Number of characters that can be in int type (including '\0') - AF */ + char *s, tmp[20]; int i = 0, j = 0; if (string == NULL) @@ -762,7 +762,7 @@ assemble_string(char *string, int nr) } if (string[i] != '\0') { - sprintf(tmp, "%d", nr); + snprintf(tmp, 20, "%d", nr); strcpy(&s[j], tmp); j = j + strlen(tmp); } diff --git a/src/convert.c b/src/convert.c index c76d7d6..8eacdcb 100644 --- a/src/convert.c +++ b/src/convert.c @@ -472,7 +472,7 @@ static const int fcharsetparmtocp(int parm) } // Translate code page to encoding name hopefully suitable as iconv input -static char *cptoencoding(parm) +static char *cptoencoding(int parm) { // Note that CP0 is supposed to mean current system default, which does // not make any sense as a stored value, we don't handle it. @@ -964,7 +964,7 @@ cmd_cf (Word *w, int align, char has_param, int num) } else { - sprintf(str,"#%02x%02x%02x", + snprintf(str, 40, "#%02x%02x%02x", color_table[num].r, color_table[num].g, color_table[num].b); @@ -993,7 +993,7 @@ cmd_cb (Word *w, int align, char has_param, int num) } else { - sprintf(str,"#%02x%02x%02x", + snprintf(str, 40, "#%02x%02x%02x", color_table[num].r, color_table[num].g, color_table[num].b); @@ -1018,7 +1018,7 @@ cmd_fs (Word *w, int align, char has_param, int points) { /* Note, fs20 means 10pt */ points /= 2; - sprintf(str,"%d",points); + snprintf(str, 20, "%d", points); attr_push(ATTR_FONTSIZE,str); return FALSE; @@ -1166,7 +1166,7 @@ cmd_f (Word *w, int align, char has_param, int num) { // TOBEDONE: WHAT'S THIS ??? name = my_malloc(12); - sprintf(name, "%d", num); + snprintf(name, 12, "%d", num); } /* we are going to output entities, so should not output font */ @@ -1218,7 +1218,7 @@ cmd_highlight (Word *w, int align, char has_param, int num) } else { - sprintf(str,"#%02x%02x%02x", + snprintf(str, 40, "#%02x%02x%02x", color_table[num].r, color_table[num].g, color_table[num].b); @@ -1373,9 +1373,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) { static int cmd_expand (Word *w, int align, char has_param, int param) { - char str[10]; + char str[20]; if (has_param) { - sprintf(str, "%d", param/4); + snprintf(str, 20, "%d", param / 4); if (!param) attr_pop(ATTR_EXPAND); else @@ -1394,7 +1394,7 @@ cmd_expand (Word *w, int align, char has_param, int param) { static int cmd_emboss (Word *w, int align, char has_param, int param) { - char str[10]; + char str[20]; if (has_param && !param) #ifdef SUPPORT_UNNESTED attr_find_pop(ATTR_EMBOSS); @@ -1403,7 +1403,7 @@ cmd_emboss (Word *w, int align, char has_param, int param) { #endif else { - sprintf(str, "%d", param); + snprintf(str, 20, "%d", param); attr_push(ATTR_EMBOSS, str); } return FALSE; @@ -1419,12 +1419,12 @@ cmd_emboss (Word *w, int align, char has_param, int param) { static int cmd_engrave (Word *w, int align, char has_param, int param) { - char str[10]; + char str[20]; if (has_param && !param) attr_pop(ATTR_ENGRAVE); else { - sprintf(str, "%d", param); + snprintf(str, 20, "%d", param); attr_push(ATTR_ENGRAVE, str); } return FALSE; @@ -1976,7 +1976,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) { short done=0; long unicode_number = (long) param; /* On 16bit architectures int is too small to store unicode characters. - AF */ - char tmp[12]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */ + char tmp[20]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */ const char *alias; #define DEBUG 0 #if DEBUG @@ -2006,7 +2006,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) { /* RTF spec: Unicode values beyond 32767 are represented by negative numbers */ unicode_number += 65536; } - sprintf(tmp, "%ld", unicode_number); + snprintf(tmp, 20, "%ld", unicode_number); if (safe_printf(1, op->unisymbol_print, tmp)) fprintf(stderr, TOO_MANY_ARGS, "unisymbol_print"); done++; diff --git a/src/output.c b/src/output.c index 86d8b5c..4cdbfa6 100644 --- a/src/output.c +++ b/src/output.c @@ -320,7 +320,7 @@ op_begin_std_fontsize (OutputPersonality *op, int size) if (!found_std_expr) { if (op->fontsize_begin) { char expr[16]; - sprintf (expr, "%d", size); + snprintf(expr, 16, "%d", size); if (safe_printf (1, op->fontsize_begin, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_begin"); } else { /* If we cannot write out a change for the exact @@ -440,7 +440,7 @@ op_end_std_fontsize (OutputPersonality *op, int size) if (!found_std_expr) { if (op->fontsize_end) { char expr[16]; - sprintf (expr, "%d", size); + snprintf(expr, 16, "%d", size); if (safe_printf(1, op->fontsize_end, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_end"); } else { /* If we cannot write out a change for the exact - .11.0