openbsd-ports/japanese/canna/patches/patch-server_wconvert_c

322 lines
12 KiB
Plaintext
Raw Normal View History

$OpenBSD: patch-server_wconvert_c,v 1.1 2003/03/12 21:21:55 brad Exp $
--- server/wconvert.c.orig Wed Nov 27 02:27:28 1996
+++ server/wconvert.c Wed Mar 12 14:59:07 2003
@@ -101,4 +101,5 @@ extern reqproc ExtensionWideVector[];
extern void DispDebug() ;
+extern const Ushort *ushortmemchr pro((const Ushort *, int, size_t));
extern int canna_server_hi ;
extern int canna_server_lo ;
@@ -1323,5 +1324,8 @@ ClientPtr *clientp ;
int cxnum = Request.type18.context, stat = -1;
int requestsize = Request.type18.size, retval;
+ size_t datasize = Request.type18.datalen - SIZEOFSHORT * 2;
+ if (datasize == 0 || req->data[datasize - 1] != 0)
+ goto protoerr;
if (validcontext(cxnum, client, wListDictionary)) {
if (requestsize <= sizeof(local_buffer) ||
@@ -1360,4 +1364,5 @@ ClientPtr *clientp ;
}
+protoerr:
retval = SendType6Reply(client, wListDictionary, EXTPROTO, stat,
dicnames, namesize(dicnames, stat));
@@ -1471,8 +1476,13 @@ ClientPtr *clientp ;
int cxnum = Request.type18.context, stat = BADCONT;
int dirlen, requestsize = Request.type18.size, retval;
+ size_t datasize = Request.type18.datalen - SIZEOFSHORT * 2;
+ if (datasize == 0 || req->data[datasize - 1] != 0)
+ goto protoerr;
if (validcontext(cxnum, client, wGetWordTextDictionary)) {
dirname = req->data ;
dirlen = strlen(dirname) + 1 ;
+ if (dirlen == datasize)
+ goto protoerr;
dicname = &(req->data[dirlen]) ;
if (dirlen > 1) {
@@ -1516,4 +1526,5 @@ ClientPtr *clientp ;
}
}
+protoerr:
retval = SendType7Reply(client, wGetWordTextDictionary, EXTPROTO,
stat, stat > 0 ? stat + 1 : 0, infobuf);
@@ -2097,10 +2108,10 @@ ClientPtr *clientp;
if (validcontext(cxnum, client, wThrough)) {
- buf = malloc((int)Request.type20.bufsize);
+ content_size = Request.type20.datalen - (SIZEOFINT * 2 + SIZEOFSHORT);
+ buf = malloc(content_size);
if (buf) {
- content_size = Request.type20.datalen - (SIZEOFINT * 2 + SIZEOFSHORT);
bcopy(Request.type20.buf, buf, content_size);
stat = size = RkThrough(cxnum, Request.type20.command,
- buf, content_size, (int)Request.type20.bufsize);
+ buf, content_size, content_size);
}
}
@@ -2297,4 +2308,7 @@ BYTE *buf ;
ir_debug( Dmsg(10, "ProcWideReq1 start!!\n") );
+ if (Request.type1.datalen != 0)
+ return( -1 );
+
return( 0 ) ;
}
@@ -2306,4 +2320,6 @@ BYTE *buf ;
ir_debug( Dmsg(10, "ProcWideReq2 start!!\n") );
+ if (Request.type2.datalen != SIZEOFSHORT)
+ return( -1 );
buf += HEADER_SIZE; Request.type2.context = S2TOS(buf);
ir_debug( Dmsg(10, "req->context =%d\n", Request.type2.context) );
@@ -2318,4 +2334,6 @@ BYTE *buf ;
ir_debug( Dmsg(10, "ProcWideReq3 start!!\n") );
+ if (Request.type3.datalen != SIZEOFSHORT * 2)
+ return( -1 );
buf += HEADER_SIZE; Request.type3.context = S2TOS(buf);
buf += SIZEOFSHORT; Request.type3.buflen = S2TOS(buf);
@@ -2335,4 +2353,6 @@ BYTE *buf ;
ir_debug( Dmsg(10, "ProcWideReq4 start!!\n") );
+ if (Request.type4.datalen < SIZEOFSHORT * 4)
+ return( -1 );
buf += HEADER_SIZE; Request.type4.context = S2TOS(buf);
buf += SIZEOFSHORT; Request.type4.begin = S2TOS(buf);
@@ -2340,5 +2360,9 @@ BYTE *buf ;
buf += SIZEOFSHORT; Request.type4.yomilen = S2TOS(buf);
Request.type4.yomi = (Ushort *)(buf += SIZEOFSHORT) ;
- len = Request.type4.datalen - SIZEOFSHORT * 4;
+ len = Request.type4.yomilen + 1;
+ if (Request.type4.datalen != SIZEOFSHORT * (4 + len)
+ || len == 0
+ || Request.type4.yomi[len - 1] != 0)
+ return( -1 );
for (data = Request.type4.yomi, i = 0; i < len; i++, data++)
*data = ntohs((unsigned short)*data); /* <20><><EFBFBD><EFBFBD><EFBFBD>äȤ<C3A4><C8A4><EFBFBD><EFBFBD>ʤ<EFBFBD> */
@@ -2360,4 +2384,6 @@ BYTE *buf ;
ir_debug( Dmsg(10, "ProcWideReq5 start!!\n") );
+ if (Request.type5.datalen != SIZEOFSHORT * 2 + SIZEOFINT)
+ return( -1 );
buf += HEADER_SIZE; Request.type5.context = S2TOS(buf);
buf += SIZEOFSHORT; Request.type5.size = S2TOS(buf);
@@ -2376,4 +2402,6 @@ BYTE *buf ;
ir_debug( Dmsg(10, "ProcWideReq6 start!!\n") );
+ if (Request.type6.datalen != SIZEOFSHORT * 3)
+ return( -1 );
buf += HEADER_SIZE; Request.type6.context = S2TOS(buf);
buf += SIZEOFSHORT; Request.type6.number = S2TOS(buf);
@@ -2392,4 +2420,6 @@ BYTE *buf ;
ir_debug( Dmsg(10, "ProcWideReq7 start!!\n") );
+ if (Request.type7.datalen != SIZEOFSHORT * 3)
+ return( -1 );
buf += HEADER_SIZE; Request.type7.context = S2TOS(buf);
buf += SIZEOFSHORT; Request.type7.number = S2TOS(buf);
@@ -2408,4 +2438,6 @@ BYTE *buf ;
ir_debug( Dmsg(10, "ProcWideReq8 start!!\n") );
+ if (Request.type8.datalen != SIZEOFSHORT * 4)
+ return( -1 );
buf += HEADER_SIZE; Request.type8.context = S2TOS(buf);
buf += SIZEOFSHORT; Request.type8.curbun = S2TOS(buf);
@@ -2426,4 +2458,6 @@ BYTE *buf ;
ir_debug( Dmsg(10, "ProcWideReq9 start!!\n") );
+ if (Request.type9.datalen != SIZEOFSHORT * 4)
+ return( -1 );
buf += HEADER_SIZE; Request.type9.context = S2TOS(buf);
buf += SIZEOFSHORT; Request.type9.number = S2TOS(buf);
@@ -2443,7 +2477,11 @@ BYTE *buf ;
{
register int i ;
+ int rest;
ir_debug( Dmsg(10, "ProcWideReq10 start!!\n") );
+ rest = Request.type10.datalen - (SIZEOFSHORT * 2 + SIZEOFINT);
+ if (rest < 0)
+ return( -1 );
buf += HEADER_SIZE; Request.type10.context = S2TOS(buf);
buf += SIZEOFSHORT; Request.type10.number = S2TOS(buf);
@@ -2453,4 +2491,6 @@ BYTE *buf ;
ir_debug( Dmsg(10, "req->mode =%d\n", Request.type10.mode) );
+ if (rest != Request.type10.number * SIZEOFSHORT)
+ return( -1 );
buf += SIZEOFINT; Request.type10.kouho = (short *)buf; /* short? */
for (i = 0; i < Request.type10.number; i++) {
@@ -2469,10 +2509,16 @@ BYTE *buf ;
int i, len ;
- ir_debug( Dmsg(10, "ProcWideReq10 start!!\n") );
+ ir_debug( Dmsg(10, "ProcWideReq11 start!!\n") );
+ if (Request.type11.datalen < SIZEOFSHORT * 2)
+ return( -1 );
buf += HEADER_SIZE; Request.type11.context = S2TOS(buf);
buf += SIZEOFSHORT; Request.type11.curbun = S2TOS(buf);
buf += SIZEOFSHORT; Request.type11.yomi = (Ushort *)buf;
+ if (Request.type11.datalen % SIZEOFSHORT != 0)
+ return( -1 );
len = ((int)Request.type11.datalen - SIZEOFSHORT * 2) / SIZEOFSHORT ;
+ if (len == 0 || Request.type11.yomi[len - 1] != 0)
+ return( -1 );
for (data = Request.type11.yomi, i = 0; i < len; i++, data++)
*data = ntohs( *data ); /* <20>ʤ󤫤<CAA4><F3A4ABA4><EFBFBD> */
@@ -2491,14 +2537,24 @@ BYTE *buf ;
{
register Ushort *data;
- int i, len ;
+ int i, len, rest;
ir_debug( Dmsg(10, "ProcWideReq12 start!!\n") );
+ rest = Request.type12.datalen - SIZEOFSHORT;
+ if (rest < 0)
+ return( -1 );
buf += HEADER_SIZE; Request.type12.context = S2TOS(buf);
buf += SIZEOFSHORT; Request.type12.datainfo = (Ushort *)buf;
+ if (!ushortmemchr((Ushort *)buf, 0, rest / SIZEOFSHORT))
+ return( -1 );
len = ushortstrlen((Ushort *)buf) + 1;
+ rest -= len * SIZEOFSHORT;
+ if (rest <= 0)
+ return( -1 );
for( data = Request.type12.datainfo, i = 0; i < len; i++, data++ )
*data = ntohs( *data ); /* <20>ʤ󤫤<CAA4><F3A4ABA4><EFBFBD> */
buf += len * SIZEOFSHORT;
+ if (buf[rest - 1] != '\0')
+ return( -1 );
Request.type12.dicname = (char *)buf;
ir_debug( Dmsg(10, "req->context =%d\n", Request.type12.context) );
@@ -2518,22 +2574,35 @@ BYTE *buf ;
{
register Ushort *data;
- int i ,len ;
+ int i ,len, rest;
ir_debug( Dmsg(10, "ProcWideReq13 start!!\n") );
+ rest = Request.type13.datalen - SIZEOFSHORT;
+ if (rest < 0)
+ return( -1 );
buf += HEADER_SIZE; Request.type13.context = S2TOS(buf);
len = SIZEOFSHORT ;
buf += len;
Request.type13.dicname = (char *)buf;
+ if (!memchr(buf, 0, rest))
+ return( -1 );
len = strlen( (char *)buf ) + 1;
+ rest -= len;
+ if (rest % SIZEOFSHORT
+ || rest < SIZEOFSHORT * 3)
+ return( -1 );
buf += len;
Request.type13.yomi = (Ushort *)buf;
len = ((int)Request.type13.datalen - len - SIZEOFSHORT * 4) / SIZEOFSHORT;
+ if (ushortmemchr((Ushort *)buf, 0, len) != (Ushort *)buf + len - 1)
+ return( -1 );
for( data = Request.type13.yomi, i = 0; i < len; i++, data++)
*data = ntohs( *data );
- buf += (ushortstrlen((Ushort *)buf) + 1) * SIZEOFSHORT;
+ buf += len * SIZEOFSHORT;
Request.type13.yomilen = S2TOS(buf);
buf += SIZEOFSHORT; Request.type13.kouhosize = S2TOS(buf);
buf += SIZEOFSHORT; Request.type13.hinshisize = S2TOS(buf);
+ if (Request.type13.yomilen != len - 1)
+ return( -1 );
ir_debug( Dmsg(10, "req->context =%d\n", Request.type13.context) );
ir_debug( Dmsg(10, "req->dicname =%s\n", Request.type13.dicname) );
@@ -2557,4 +2626,7 @@ BYTE *buf ;
ir_debug( Dmsg(10, "ProcWideReq14 start!!\n") );
+ if (Request.type14.datalen <= SIZEOFINT + SIZEOFSHORT
+ || Request.type14.datalen % SIZEOFSHORT)
+ return( -1 );
buf += HEADER_SIZE; Request.type14.mode = L4TOL(buf);
buf += SIZEOFINT; Request.type14.context = S2TOS(buf);
@@ -2562,4 +2634,6 @@ BYTE *buf ;
len = ((int)Request.type14.datalen - SIZEOFSHORT - SIZEOFINT)
/ SIZEOFSHORT;
+ if (Request.type14.yomi[len - 1] != 0)
+ return( -1 );
for (data = Request.type14.yomi, i = 0; i < len; i++, data++)
*data = ntohs( *data ); /* <20>ʤ󤫤<CAA4><F3A4ABA4><EFBFBD> */
@@ -2578,9 +2652,15 @@ ProcWideReq15(buf)
BYTE *buf ;
{
+ int rest;
ir_debug( Dmsg(10, "ProcWideReq15 start!!\n") );
+ rest = Request.type15.datalen - (SIZEOFINT + SIZEOFSHORT);
+ if (rest <= 0)
+ return( -1 );
buf += HEADER_SIZE; Request.type15.mode = L4TOL(buf);
buf += SIZEOFINT; Request.type15.context = S2TOS(buf);
buf += SIZEOFSHORT; Request.type15.dicname = (char *)buf;
+ if (buf[rest - 1] != 0)
+ return( -1 );
ir_debug( Dmsg(10, "req->mode =%d\n", Request.type15.mode) );
ir_debug( Dmsg(10, "req->context =%d\n", Request.type15.context) );
@@ -2598,4 +2678,7 @@ BYTE *buf ;
buf += HEADER_SIZE;
+ if (Request.type17.datalen < SIZEOFCHAR * 2
+ || buf[Request.type17.datalen - SIZEOFCHAR * 2] != 0)
+ return( -1 );
Request.type17.dicname = (char *)buf;
Request.type17.mode = (char)*(buf + Request.type17.datalen - SIZEOFCHAR) ;
@@ -2614,4 +2697,6 @@ BYTE *buf ;
ir_debug( Dmsg(10, "ProcWideReq18 start!!\n") );
+ if (Request.type18.datalen < SIZEOFSHORT * 2)
+ return( -1 );
buf += HEADER_SIZE; Request.type18.context = S2TOS(buf);
buf += SIZEOFSHORT; Request.type18.data = (char *)buf;
@@ -2631,10 +2716,16 @@ ProcWideReq19(buf)
BYTE *buf ;
{
+ int rest;
ir_debug( Dmsg(10, "ProcWideReq19 start!!\n") );
+ rest = Request.type20.datalen - (SIZEOFSHORT + SIZEOFINT * 2);
+ if (rest < 0)
+ return( -1 );
buf += HEADER_SIZE; Request.type20.context = S2TOS(buf);
buf += SIZEOFSHORT; Request.type20.command = L4TOL(buf);
buf += SIZEOFINT; Request.type20.bufsize = L4TOL(buf);
buf += SIZEOFINT; Request.type20.buf = (char *)buf;
+ if (Request.type20.bufsize != rest)
+ return( -1 );
ir_debug( Dmsg(10, "req->context =%d\n", Request.type20.context) );
ir_debug( Dmsg(10, "req->command =%d\n", Request.type20.command) );
@@ -2648,13 +2739,23 @@ ProcWideReq20(buf)
BYTE *buf ;
{
+ BYTE *bufend;
ir_debug( Dmsg(10, "ProcWideReq20 start!!\n") );
+ if (Request.type21.datalen < SIZEOFINT + SIZEOFSHORT)
+ return( -1 );
buf += HEADER_SIZE; Request.type21.mode = L4TOL(buf);
+ bufend = buf + Request.type21.datalen;
buf += SIZEOFINT; Request.type21.context = S2TOS(buf);
buf += SIZEOFSHORT; Request.type21.dirname = (char *)buf;
+ if (!memchr(buf, 0, bufend - buf))
+ return( -1 );
buf += strlen((char *)buf) + 1;
Request.type21.srcdic = (char *)buf;
+ if (!memchr(buf, 0, bufend - buf))
+ return( -1 );
buf += strlen((char *)buf) + 1;
Request.type21.dstdic = (char *)buf;
+ if (*(bufend - 1) != 0)
+ return( -1 );
ir_debug( Dmsg(10, "req->mode =%d\n", Request.type21.mode) );