SECURITY FIX:

A voluntary security review of the importers by infamous41md has turned up
three buffer overflow errors in the xfig import code.
Details:
http://mail.gnome.org/archives/dia-list/2006-March/msg00149.html
This commit is contained in:
steven 2006-04-03 16:21:47 +00:00
parent 394abc9ebe
commit a24b504344
3 changed files with 206 additions and 2 deletions

View File

@ -1,9 +1,9 @@
# $OpenBSD: Makefile,v 1.34 2006/01/20 07:15:22 steven Exp $
# $OpenBSD: Makefile,v 1.35 2006/04/03 16:21:47 steven Exp $
COMMENT= "technical diagrams drawing tool"
DISTNAME= dia-0.94
PKGNAME= ${DISTNAME}p3
PKGNAME= ${DISTNAME}p4
CATEGORIES= graphics
HOMEPAGE= http://www.gnome.org/projects/dia/

View File

@ -0,0 +1,193 @@
$OpenBSD: patch-plug-ins_xfig_xfig-import_c,v 1.1 2006/04/03 16:21:47 steven Exp $
--- plug-ins/xfig/xfig-import.c.orig Mon Aug 16 09:56:21 2004
+++ plug-ins/xfig/xfig-import.c Mon Apr 3 18:16:09 2006
@@ -441,11 +441,17 @@ create_standard_group(GList *items, Diag
static Color
fig_color(int color_index)
{
- if (color_index == -1)
+ if (color_index <= -1)
return color_black; /* Default color */
- if (color_index < FIG_MAX_DEFAULT_COLORS)
+ else if (color_index < FIG_MAX_DEFAULT_COLORS)
return fig_default_colors[color_index];
- else return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS];
+ else if (color_index < FIG_MAX_USER_COLORS)
+ return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS];
+ else {
+ message_error(_("Color index %d too high, only 512 colors allowed. Using black instead."),
+ color_index);
+ return color_black;
+ }
}
static Color
@@ -563,23 +569,25 @@ fig_simple_properties(DiaObject *obj,
static int
fig_read_n_points(FILE *file, int n, Point **points) {
int i;
- Point *new_points;
+ GArray *points_list = g_array_sized_new(FALSE, FALSE, sizeof(Point), n);
- new_points = (Point*)g_malloc(sizeof(Point)*n);
-
for (i = 0; i < n; i++) {
int x,y;
+ Point p;
if (fscanf(file, " %d %d ", &x, &y) != 2) {
message_error(_("Error while reading %dth of %d points: %s\n"),
i, n, strerror(errno));
- free(new_points);
+ g_array_free(points_list, TRUE);
return FALSE;
}
- new_points[i].x = x/FIG_UNIT;
- new_points[i].y = y/FIG_UNIT;
+ p.x = x/FIG_UNIT;
+ p.y = y/FIG_UNIT;
+ g_array_append_val(points_list, p);
}
fscanf(file, "\n");
- *points = new_points;
+
+ *points = (Point *)points_list->data;
+ g_array_free(points_list, FALSE);
return TRUE;
}
@@ -683,7 +691,7 @@ fig_read_text_line(FILE *file) {
return text_buf;
}
-static GList *depths[1000];
+static GList *depths[FIG_MAX_DEPTHS];
/* If there's something in the compound stack, we ignore the depth field,
as it will be determined by the group anyway */
@@ -693,6 +701,26 @@ static GSList *compound_stack = NULL;
level. Best we can do now. */
static int compound_depth;
+/** Add an object at a given depth. This function checks for depth limits
+ * and updates the compound depth if needed.
+ *
+ * @param newobj An object to add. If we're inside a compound, this
+ * doesn't really add the object.
+ * @param depth A depth as in the Fig format, max 999
+ */
+static void
+add_at_depth(DiaObject *newobj, int depth) {
+ if (depth < 0 || depth >= FIG_MAX_DEPTHS) {
+ message_error(_("Depth %d of of range, only 0-%d allowed.\n"),
+ depth, FIG_MAX_DEPTHS-1);
+ depth = FIG_MAX_DEPTHS - 1;
+ }
+ if (compound_stack == NULL)
+ depths[depth] = g_list_append(depths[depth], newobj);
+ else
+ if (compound_depth > depth) compound_depth = depth;
+}
+
static DiaObject *
fig_read_ellipse(FILE *file, DiagramData *dia) {
int sub_type;
@@ -749,10 +777,7 @@ fig_read_ellipse(FILE *file, DiagramData
/* Angle -- can't rotate yet */
/* Depth field */
- if (compound_stack == NULL)
- depths[depth] = g_list_append(depths[depth], newobj);
- else
- if (compound_depth > depth) compound_depth = depth;
+ add_at_depth(newobj, depth);
return newobj;
}
@@ -885,10 +910,7 @@ fig_read_polyline(FILE *file, DiagramDat
/* Cap style */
/* Depth field */
- if (compound_stack == NULL)
- depths[depth] = g_list_append(depths[depth], newobj);
- else
- if (compound_depth > depth) compound_depth = depth;
+ add_at_depth(newobj, depth);
exit:
prop_list_free(props);
g_free(forward_arrow_info);
@@ -1111,10 +1133,7 @@ fig_read_spline(FILE *file, DiagramData
/* Cap style */
/* Depth field */
- if (compound_stack == NULL)
- depths[depth] = g_list_append(depths[depth], newobj);
- else
- if (compound_depth > depth) compound_depth = depth;
+ add_at_depth(newobj, depth);
exit:
prop_list_free(props);
g_free(forward_arrow_info);
@@ -1202,10 +1221,7 @@ fig_read_arc(FILE *file, DiagramData *di
/* Cap style */
/* Depth field */
- if (compound_stack == NULL)
- depths[depth] = g_list_append(depths[depth], newobj);
- else
- if (compound_depth > depth) compound_depth = depth;
+ add_at_depth(newobj, depth);
exit:
g_free(forward_arrow_info);
@@ -1298,10 +1314,7 @@ fig_read_text(FILE *file, DiagramData *d
newobj->ops->set_props(newobj, props);
/* Depth field */
- if (compound_stack == NULL)
- depths[depth] = g_list_append(depths[depth], newobj);
- else
- if (compound_depth > depth) compound_depth = depth;
+ add_at_depth(newobj, depth);
exit:
if (text_buf != NULL) free(text_buf);
@@ -1347,6 +1360,12 @@ fig_read_object(FILE *file, DiagramData
return FALSE;
}
+ if (colornumber < 32 || colornumber > FIG_MAX_USER_COLORS) {
+ message_error(_("Color number %d out of range 0..%d. Discarding color.\n"),
+ colornumber, FIG_MAX_USER_COLORS);
+ return FALSE;
+ }
+
color.red = ((colorvalues & 0x00ff0000)>>16) / 255.0;
color.green = ((colorvalues & 0x0000ff00)>>8) / 255.0;
color.blue = (colorvalues & 0x000000ff) / 255.0;
@@ -1393,7 +1412,7 @@ fig_read_object(FILE *file, DiagramData
}
/* Group extends don't really matter */
if (compound_stack == NULL)
- compound_depth = 999;
+ compound_depth = FIG_MAX_DEPTHS - 1;
compound_stack = g_slist_append(compound_stack, NULL);
return TRUE;
break;
@@ -1551,7 +1570,7 @@ import_fig(const gchar *filename, Diagra
for (i = 0; i < FIG_MAX_USER_COLORS; i++) {
fig_colors[i] = color_black;
}
- for (i = 0; i < 1000; i++) {
+ for (i = 0; i < FIG_MAX_DEPTHS; i++) {
depths[i] = NULL;
}
@@ -1606,7 +1625,7 @@ import_fig(const gchar *filename, Diagra
} while (TRUE);
/* Now we can reorder for the depth fields */
- for (i = 0; i < 1000; i++) {
+ for (i = 0; i < FIG_MAX_DEPTHS; i++) {
if (depths[i] != NULL)
layer_add_objects_first(dia->active_layer, depths[i]);
}

View File

@ -0,0 +1,11 @@
$OpenBSD: patch-plug-ins_xfig_xfig_h,v 1.1 2006/04/03 16:21:47 steven Exp $
--- plug-ins/xfig/xfig.h.orig Mon Aug 16 09:56:21 2004
+++ plug-ins/xfig/xfig.h Mon Apr 3 18:16:09 2006
@@ -6,6 +6,7 @@ extern char *fig_fonts[];
#define FIG_MAX_DEFAULT_COLORS 32
#define FIG_MAX_USER_COLORS 512
+#define FIG_MAX_DEPTHS 1000
/* 1200 PPI */
#define FIG_UNIT 472.440944881889763779527559055118
/* 1/80 inch */