out of bounds read access in is_utf8_well_formed()

Resolves: #1201310 CVE-2014-9488 This is an update of previous patch. The function is_utf8_well_formed was defined in charset.c with single parameter. I was surprised, that it is even compiling. This new patch is updating own implementation of function is_utf8_well_formed and fixing also its other use. The code is taken from Mark Nudelman's unreleased version of less.
2015-06-01 09:13:01 +02:00 · 2015-06-01 09:13:01 +02:00 · 48f39f63a0
commit 48f39f63a0
parent a879a7d3f4
2 changed files with 53 additions and 5 deletions
--- a/less-471-out_of_bounds_read.patch
+++ b/less-471-out_of_bounds_read.patch
@ -1,6 +1,51 @@
--- less-474/line.c	2015-01-31 00:20:29.000000000 +0100
-+++ less-475/line.c	2015-03-05 20:07:08.000000000 +0100
-@@ -807,7 +807,7 @@
+diff -up ./less-471/charset.c.utf8 ./less-471/charset.c
+--- ./less-471/charset.c.utf8	2014-12-14 19:19:11.000000000 +0100
+++ ./less-471/charset.c	2015-06-01 08:59:38.140122262 +0200
+@@ -506,8 +506,9 @@ utf_len(ch)
+  * Does the parameter point to the lead byte of a well-formed UTF-8 character?
+  */
+ 	public int
+-is_utf8_well_formed(s)
+is_utf8_well_formed(s, slen)
+ 	unsigned char *s;
+	int slen;
+ {
+ 	int i;
+ 	int len;
+@@ -516,6 +517,8 @@ is_utf8_well_formed(s)
+ 		return (0);
+ 
+ 	len = utf_len((char) s[0]);
+	if (len > slen)
+		return (0);
+ 	if (len == 1)
+ 		return (1);
+ 	if (len == 2)
+@@ -547,7 +550,7 @@ utf_bin_count(data, len)
+ 	int bin_count = 0;
+ 	while (len > 0)
+ 	{
+-		if (is_utf8_well_formed(data))
+		if (is_utf8_well_formed(data, len))
+ 		{
+ 			int clen = utf_len(*data);
+ 			data += clen;
+diff -up ./less-471/cmdbuf.c.utf8 ./less-471/cmdbuf.c
+--- ./less-471/cmdbuf.c.utf8	2014-12-14 19:19:11.000000000 +0100
+++ ./less-471/cmdbuf.c	2015-06-01 09:00:43.247776312 +0200
+@@ -1264,7 +1264,7 @@ cmd_char(c)
+ 			cmd_mbc_buf[cmd_mbc_buf_index++] = c;
+ 			if (cmd_mbc_buf_index < cmd_mbc_buf_len)
+ 				return (CC_OK);
+-			if (!is_utf8_well_formed(cmd_mbc_buf))
+			if (!is_utf8_well_formed(cmd_mbc_buf, cmd_mbc_buf_index))
+ 			{
+ 				/* complete, but not well formed (non-shortest form), sequence */
+ 				cmd_mbc_buf_len = 0;
+diff -up ./less-471/line.c.utf8 ./less-471/line.c
+--- ./less-471/line.c.utf8	2015-06-01 08:57:28.000000000 +0200
+++ ./less-471/line.c	2015-06-01 09:00:01.061352521 +0200
+@@ -807,7 +807,7 @@ pappend(c, pos)
 			mbc_buf[mbc_buf_index++] = c;
 			if (mbc_buf_index < mbc_buf_len)
 				return (0);
--- a/less.spec
+++ b/less.spec
@ -1,7 +1,7 @@
 Summary: A text file browser similar to more, but better
 Name: less
 Version: 471
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv3+
 Group: Applications/Text
 Source: http://www.greenwoodsoftware.com/less/%{name}-%{version}.tar.gz
@ -46,7 +46,7 @@ files, and you'll use it frequently.
 %patch9 -p1 -b .less-filters-man
 %patch10 -p1 -b .lesskey-usage
 %patch11 -p1 -b .old-bot
-%patch12 -p1 -b .out_of_bounds_read.patch
+%patch12 -p2 -b .out_of_bounds_read.patch
 autoreconf

 chmod -R a+w *
@ -77,6 +77,9 @@ ls -la $RPM_BUILD_ROOT/etc/profile.d
 rm -rf $RPM_BUILD_ROOT

 %changelog
+* Mon Jun 01 2015 Jozef Mlich <jmlich@redhat.com> - 471-4
+- update of previous patch
+
 * Mon Jun 01 2015 Jozef Mlich <jmlich@redhat.com> - 471-3
 - out of bounds read access in is_utf8_well_formed()
  Resolves: #1201310