packages/ncurses
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-29458

Browse Source 
(cherry picked from commit bf362dd4357b8efa6e4f615c4e3c657186f3a9d8)
This commit is contained in:
eaglegai 2022-04-28 20:04:39 +08:00 committed by openeuler-sync-bot
parent 0ac0caaf14
commit 709c2999ac
2 changed files with 90 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
backport-CVE-2022-29458.patch Normal file
View File

@ -0,0 +1,81 @@
From 4c9f63c460cb7134f142aa65f6866c175ed77605 Mon Sep 17 00:00:00 2001
From: "Thomas E. Dickey" <dickey@invisible-island.net>
Date: Sun, 17 Apr 2022 00:27:48 +0000
Subject: [PATCH] ncurses 6.3 - patch 20220416
ncurses/tinfo/alloc_entry.c | 12 +-
ncurses/tinfo/read_entry.c | 21 +-
2 files changed, 19 insertions(+), 8 deletions(-)
diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c
index 0bc93942c..aed739436 100644
--- a/ncurses/tinfo/alloc_entry.c
+++ b/ncurses/tinfo/alloc_entry.c
@@ -48,8 +48,6 @@
#define ABSENT_OFFSET -1
#define CANCELLED_OFFSET -2
-#define MAX_STRTAB 4096 /* documented maximum entry size */
-
static char *stringbuf; /* buffer for string capabilities */
static size_t next_free; /* next free character in stringbuf */
@@ -74,7 +72,7 @@ _nc_init_entry(ENTRY * const tp)
#endif
if (stringbuf == 0)
- TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf);
+ TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf);
next_free = 0;
@@ -111,11 +109,11 @@ _nc_save_str(const char *string)
* Cheat a little by making an empty string point to the end of the
* previous string.
*/
- if (next_free < MAX_STRTAB) {
+ if (next_free < MAX_ENTRY_SIZE) {
result = (stringbuf + next_free - 1);
}
- } else if (next_free + len < MAX_STRTAB) {
- _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB);
+ } else if (next_free + len < MAX_ENTRY_SIZE) {
+ _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE);
DEBUG(7, ("Saved string %s", _nc_visbuf(string)));
DEBUG(7, ("at location %d", (int) next_free));
next_free += len;
diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
index 41ef0d0aa..66e3d31ee 100644
--- a/ncurses/tinfo/read_entry.c
+++ b/ncurses/tinfo/read_entry.c
@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
{
int i;
char *p;
+ bool corrupt = FALSE;
for (i = 0; i < count; i++) {
if (IS_NEG1(buf + 2 * i)) {
@@ -154,8 +155,20 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
} else if (MyNumber(buf + 2 * i) > size) {
Strings[i] = ABSENT_STRING;
} else {
- Strings[i] = (MyNumber(buf + 2 * i) + table);
- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));
+ int nn = MyNumber(buf + 2 * i);
+ if (nn >= 0 && nn < size) {
+ Strings[i] = (nn + table);
+ TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
+ _nc_visbuf(Strings[i])));
+ } else {
+ if (!corrupt) {
+ corrupt = TRUE;
+ TR(TRACE_DATABASE,
+ ("ignore out-of-range index %d to Strings[]", nn));
+ _nc_warning("corrupt data found in convert_strings");
+ }
+ Strings[i] = ABSENT_STRING;
+ }
}
/* make sure all strings are NUL terminated */

11
ncurses.spec
View File

@ -1,7 +1,7 @@
%global revision 20200411
Name: ncurses
Version: 6.2
Release: 2
Release: 3
Summary: Terminal control library
License: MIT
URL: https://invisible-island.net/ncurses/ncurses.html
@ -12,7 +12,8 @@ Patch9: ncurses-libs.patch
Patch11: ncurses-urxvt.patch
Patch12: ncurses-kbs.patch
Patch6000: backport-CVE-2021-39537-add-check-for-end-of-string-in-cvtchar-to-handle-a-malformed.patch
Patch13: backport-CVE-2021-39537-add-check-for-end-of-string-in-cvtchar-to-handle-a-malformed.patch
Patch14: backport-CVE-2022-29458.patch
BuildRequires: gcc gcc-c++ gpm-devel pkgconfig
@ -223,6 +224,12 @@ xz NEWS
%{_mandir}/man7/*
%changelog
* Thu Apr 28 2022 gaihuiying <eaglegai@163.com> - 6.2-3
- Type:CVE
- CVE:CVE-2022-29458
- SUG:NA
- DESC:fix CVE-2022-29458
* Tue Oct 12 2021 xihaochen<xihaochen@huawei.com> - 6.2-2
- Type:CVE
- CVE:CVE-2021-39537