Security fix for CVE-2012-5854:

weechat: Heap-based buffer overflow when decoding IRC colors
This commit is contained in:
jasper 2012-11-15 15:48:01 +00:00
parent 2104d1b1ca
commit c2d0ce55d2
2 changed files with 140 additions and 2 deletions

View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.6 2012/09/23 17:05:49 jeremy Exp $
# $OpenBSD: Makefile,v 1.7 2012/11/15 15:48:01 jasper Exp $
COMMENT-main= fast, light and extensible chat client
COMMENT-lua= Lua bindings for weechat
@ -10,7 +10,7 @@ V= 0.3.8
DISTNAME= weechat-${V}
PKGNAME-main= weechat-${V}
REVISION-main= 2
REVISION-main= 3
PKGNAME-lua= weechat-lua-${V}
REVISION-lua= 1
PKGNAME-python= weechat-python-${V}

View File

@ -0,0 +1,138 @@
$OpenBSD: patch-src_plugins_irc_irc-color_c,v 1.1 2012/11/15 15:48:01 jasper Exp $
Security fix for CVE-2012-5854:
weechat: Heap-based buffer overflow when decoding IRC colors
Patch from http://git.savannah.gnu.org/gitweb/?p=weechat.git;a=commitdiff;h=9453e81baa7935db82a0b765a47cba772aba730d#patch2
--- src/plugins/irc/irc-color.c.orig Sun Apr 1 12:27:18 2012
+++ src/plugins/irc/irc-color.c Thu Nov 15 16:42:20 2012
@@ -62,13 +62,15 @@ char *irc_color_to_weechat[IRC_NUM_COLORS] =
char *
irc_color_decode (const char *string, int keep_colors)
{
- unsigned char *out, *ptr_string;
- int out_length, length, out_pos;
- char str_fg[3], str_bg[3], str_color[128], str_key[128];
+ unsigned char *out, *out2, *ptr_string;
+ int out_length, length, out_pos, length_to_add;
+ char str_fg[3], str_bg[3], str_color[128], str_key[128], str_to_add[128];
const char *remapped_color;
int fg, bg, bold, reverse, italic, underline, rc;
out_length = (strlen (string) * 2) + 1;
+ if (out_length < 128)
+ out_length = 128;
out = malloc (out_length);
if (!out)
return NULL;
@@ -80,20 +82,27 @@ irc_color_decode (const char *string, int keep_colors)
ptr_string = (unsigned char *)string;
out[0] = '\0';
+ out_pos = 0;
while (ptr_string && ptr_string[0])
{
+ str_to_add[0] = '\0';
switch (ptr_string[0])
{
case IRC_COLOR_BOLD_CHAR:
if (keep_colors)
- strcat ((char *)out,
- weechat_color((bold) ? "-bold" : "bold"));
+ {
+ snprintf (str_to_add, sizeof (str_to_add), "%s",
+ weechat_color ((bold) ? "-bold" : "bold"));
+ }
bold ^= 1;
ptr_string++;
break;
case IRC_COLOR_RESET_CHAR:
if (keep_colors)
- strcat ((char *)out, weechat_color("reset"));
+ {
+ snprintf (str_to_add, sizeof (str_to_add), "%s",
+ weechat_color ("reset"));
+ }
bold = 0;
reverse = 0;
italic = 0;
@@ -106,22 +115,28 @@ irc_color_decode (const char *string, int keep_colors)
case IRC_COLOR_REVERSE_CHAR:
case IRC_COLOR_REVERSE2_CHAR:
if (keep_colors)
- strcat ((char *)out,
- weechat_color((reverse) ? "-reverse" : "reverse"));
+ {
+ snprintf (str_to_add, sizeof (str_to_add), "%s",
+ weechat_color ((reverse) ? "-reverse" : "reverse"));
+ }
reverse ^= 1;
ptr_string++;
break;
case IRC_COLOR_ITALIC_CHAR:
if (keep_colors)
- strcat ((char *)out,
- weechat_color((italic) ? "-italic" : "italic"));
+ {
+ snprintf (str_to_add, sizeof (str_to_add), "%s",
+ weechat_color ((italic) ? "-italic" : "italic"));
+ }
italic ^= 1;
ptr_string++;
break;
case IRC_COLOR_UNDERLINE_CHAR:
if (keep_colors)
- strcat ((char *)out,
- weechat_color((underline) ? "-underline" : "underline"));
+ {
+ snprintf (str_to_add, sizeof (str_to_add), "%s",
+ weechat_color ((underline) ? "-underline" : "underline"));
+ }
underline ^= 1;
ptr_string++;
break;
@@ -194,21 +209,38 @@ irc_color_decode (const char *string, int keep_colors)
(bg >= 0) ? "," : "",
(bg >= 0) ? irc_color_to_weechat[bg] : "");
}
- strcat ((char *)out, weechat_color(str_color));
+ snprintf (str_to_add, sizeof (str_to_add), "%s",
+ weechat_color (str_color));
}
else
- strcat ((char *)out, weechat_color("resetcolor"));
+ {
+ snprintf (str_to_add, sizeof (str_to_add), "%s",
+ weechat_color ("resetcolor"));
+ }
}
break;
default:
length = weechat_utf8_char_size ((char *)ptr_string);
if (length == 0)
length = 1;
- out_pos = strlen ((char *)out);
- memcpy (out + out_pos, ptr_string, length);
- out[out_pos + length] = '\0';
+ memcpy (str_to_add, ptr_string, length);
+ str_to_add[length] = '\0';
ptr_string += length;
break;
+ }
+ if (str_to_add[0])
+ {
+ length_to_add = strlen (str_to_add);
+ if (out_pos + length_to_add >= out_length)
+ {
+ out_length *= 2;
+ out2 = realloc (out, out_length);
+ if (!out2)
+ return (char *)out;
+ out = out2;
+ }
+ memcpy (out + out_pos, str_to_add, length_to_add + 1);
+ out_pos += length_to_add;
}
}