48f39f63a0
Resolves: #1201310 CVE-2014-9488 This is an update of previous patch. The function is_utf8_well_formed was defined in charset.c with single parameter. I was surprised, that it is even compiling. This new patch is updating own implementation of function is_utf8_well_formed and fixing also its other use. The code is taken from Mark Nudelman's unreleased version of less.
57 lines
1.8 KiB
Diff
57 lines
1.8 KiB
Diff
diff -up ./less-471/charset.c.utf8 ./less-471/charset.c
|
|
--- ./less-471/charset.c.utf8 2014-12-14 19:19:11.000000000 +0100
|
|
+++ ./less-471/charset.c 2015-06-01 08:59:38.140122262 +0200
|
|
@@ -506,8 +506,9 @@ utf_len(ch)
|
|
* Does the parameter point to the lead byte of a well-formed UTF-8 character?
|
|
*/
|
|
public int
|
|
-is_utf8_well_formed(s)
|
|
+is_utf8_well_formed(s, slen)
|
|
unsigned char *s;
|
|
+ int slen;
|
|
{
|
|
int i;
|
|
int len;
|
|
@@ -516,6 +517,8 @@ is_utf8_well_formed(s)
|
|
return (0);
|
|
|
|
len = utf_len((char) s[0]);
|
|
+ if (len > slen)
|
|
+ return (0);
|
|
if (len == 1)
|
|
return (1);
|
|
if (len == 2)
|
|
@@ -547,7 +550,7 @@ utf_bin_count(data, len)
|
|
int bin_count = 0;
|
|
while (len > 0)
|
|
{
|
|
- if (is_utf8_well_formed(data))
|
|
+ if (is_utf8_well_formed(data, len))
|
|
{
|
|
int clen = utf_len(*data);
|
|
data += clen;
|
|
diff -up ./less-471/cmdbuf.c.utf8 ./less-471/cmdbuf.c
|
|
--- ./less-471/cmdbuf.c.utf8 2014-12-14 19:19:11.000000000 +0100
|
|
+++ ./less-471/cmdbuf.c 2015-06-01 09:00:43.247776312 +0200
|
|
@@ -1264,7 +1264,7 @@ cmd_char(c)
|
|
cmd_mbc_buf[cmd_mbc_buf_index++] = c;
|
|
if (cmd_mbc_buf_index < cmd_mbc_buf_len)
|
|
return (CC_OK);
|
|
- if (!is_utf8_well_formed(cmd_mbc_buf))
|
|
+ if (!is_utf8_well_formed(cmd_mbc_buf, cmd_mbc_buf_index))
|
|
{
|
|
/* complete, but not well formed (non-shortest form), sequence */
|
|
cmd_mbc_buf_len = 0;
|
|
diff -up ./less-471/line.c.utf8 ./less-471/line.c
|
|
--- ./less-471/line.c.utf8 2015-06-01 08:57:28.000000000 +0200
|
|
+++ ./less-471/line.c 2015-06-01 09:00:01.061352521 +0200
|
|
@@ -807,7 +807,7 @@ pappend(c, pos)
|
|
mbc_buf[mbc_buf_index++] = c;
|
|
if (mbc_buf_index < mbc_buf_len)
|
|
return (0);
|
|
- if (is_utf8_well_formed(mbc_buf))
|
|
+ if (is_utf8_well_formed(mbc_buf, mbc_buf_index))
|
|
r = do_append(get_wchar(mbc_buf), mbc_buf, mbc_pos);
|
|
else
|
|
/* Complete, but not shortest form, sequence. */
|