78171009d1
Zen Parse found a local buffer overflow in gv version 3.5.8 and earlier. Under this vulnerability, an attacker can create a carefully crafted, malformed PDF or PostScript file that, when viewed using gv, executes arbitrary commands on the system. http://marc.theaimsgroup.com/?l=bugtraq&m=103428425111983&w=2
163 lines
6.6 KiB
Plaintext
163 lines
6.6 KiB
Plaintext
$OpenBSD: patch-source_ps_c,v 1.2 2002/10/26 21:48:07 brad Exp $
|
|
--- source/ps.c.orig Fri Jun 6 18:00:00 1997
|
|
+++ source/ps.c Wed Oct 23 19:17:59 2002
|
|
@@ -420,6 +420,16 @@ psscan(fileP,filename,filename_raw,filen
|
|
char cmd[512];
|
|
char s[512];
|
|
filename_unc=file_getTmpFilename(NULL,filename_raw);
|
|
+ if (file_nameIsDangerous(filename))
|
|
+ {
|
|
+ INFMESSAGE(the filename is dangerous)
|
|
+ sprintf(s, "The filename \"%s\" is dangerous: only alphanumeric "
|
|
+ "characters and \"%s\" are allowed.\n",
|
|
+ filename, file_charsAllowedInName);
|
|
+ NotePopupShowMessage(s);
|
|
+ ENDMESSAGE(psscan)
|
|
+ return(NULL);
|
|
+ }
|
|
sprintf(cmd,cmd_uncompress,filename,filename_unc);
|
|
INFMESSAGE(is compressed)
|
|
INFSMESSAGE(uncompress command,cmd)
|
|
@@ -478,7 +488,7 @@ unc_ok:
|
|
doc = (struct document *) PS_malloc(sizeof(struct document));
|
|
CHECK_MALLOCED(doc);
|
|
memset(doc, 0, sizeof(struct document));
|
|
- sscanf(line, "%*s %s", text);
|
|
+ sscanf(line, "%*s %256s", text);
|
|
/*###jp###*/
|
|
/*doc->epsf = iscomment(text, "EPSF-");*/
|
|
doc->epsf = iscomment(text, "EPSF");
|
|
@@ -491,6 +501,16 @@ unc_ok:
|
|
char cmd[512];
|
|
char s[512];
|
|
filename_dsc=file_getTmpFilename(NULL,filename_raw);
|
|
+ if (file_nameIsDangerous(filename))
|
|
+ {
|
|
+ INFMESSAGE(the filename is dangerous)
|
|
+ sprintf(s, "The filename \"%s\" is dangerous: only alphanumeric "
|
|
+ "characters and \"%s\" are allowed.\n",
|
|
+ filename, file_charsAllowedInName);
|
|
+ NotePopupShowMessage(s);
|
|
+ ENDMESSAGE(psscan)
|
|
+ return(NULL);
|
|
+ }
|
|
sprintf(cmd,cmd_scan_pdf,filename,filename_dsc);
|
|
INFMESSAGE(is PDF)
|
|
INFSMESSAGE(scan command,cmd)
|
|
@@ -546,7 +566,7 @@ scan_ok:
|
|
} else if (doc->date == NULL && iscomment(line+2, "CreationDate:")) {
|
|
doc->date = gettextline(line+length("%%CreationDate:"));
|
|
} else if (bb_set == NONE && iscomment(line+2, "BoundingBox:")) {
|
|
- sscanf(line+length("%%BoundingBox:"), "%s", text);
|
|
+ sscanf(line+length("%%BoundingBox:"), "%256s", text);
|
|
if (strcmp(text, "(atend)") == 0) {
|
|
bb_set = ATEND;
|
|
} else {
|
|
@@ -578,7 +598,7 @@ scan_ok:
|
|
}
|
|
} else if (orientation_set == NONE &&
|
|
iscomment(line+2, "Orientation:")) {
|
|
- sscanf(line+length("%%Orientation:"), "%s", text);
|
|
+ sscanf(line+length("%%Orientation:"), "%256s", text);
|
|
if (strcmp(text, "(atend)") == 0) {
|
|
orientation_set = ATEND;
|
|
} else if (strcmp(text, "Portrait") == 0) {
|
|
@@ -589,7 +609,7 @@ scan_ok:
|
|
orientation_set = 1;
|
|
}
|
|
} else if (page_order_set == NONE && iscomment(line+2, "PageOrder:")) {
|
|
- sscanf(line+length("%%PageOrder:"), "%s", text);
|
|
+ sscanf(line+length("%%PageOrder:"), "%256s", text);
|
|
if (strcmp(text, "(atend)") == 0) {
|
|
page_order_set = ATEND;
|
|
} else if (strcmp(text, "Ascend") == 0) {
|
|
@@ -603,7 +623,7 @@ scan_ok:
|
|
page_order_set = 1;
|
|
}
|
|
} else if (pages_set == NONE && iscomment(line+2, "Pages:")) {
|
|
- sscanf(line+length("%%Pages:"), "%s", text);
|
|
+ sscanf(line+length("%%Pages:"), "%256s", text);
|
|
if (strcmp(text, "(atend)") == 0) {
|
|
pages_set = ATEND;
|
|
} else {
|
|
@@ -823,7 +843,7 @@ scan_ok:
|
|
/* Do nothing */
|
|
} else if (doc->default_page_orientation == NONE &&
|
|
iscomment(line+2, "PageOrientation:")) {
|
|
- sscanf(line+length("%%PageOrientation:"), "%s", text);
|
|
+ sscanf(line+length("%%PageOrientation:"), "%256s", text);
|
|
if (strcmp(text, "Portrait") == 0) {
|
|
doc->default_page_orientation = PORTRAIT;
|
|
} else if (strcmp(text, "Landscape") == 0) {
|
|
@@ -945,7 +965,7 @@ scan_ok:
|
|
/* Do nothing */
|
|
} else if (doc->default_page_orientation == NONE &&
|
|
iscomment(line+2, "PageOrientation:")) {
|
|
- sscanf(line+length("%%PageOrientation:"), "%s", text);
|
|
+ sscanf(line+length("%%PageOrientation:"), "%256s", text);
|
|
if (strcmp(text, "Portrait") == 0) {
|
|
doc->default_page_orientation = PORTRAIT;
|
|
} else if (strcmp(text, "Landscape") == 0) {
|
|
@@ -1082,7 +1102,7 @@ continuepage:
|
|
/* Do nothing */
|
|
} else if (doc->pages[doc->numpages].orientation == NONE &&
|
|
iscomment(line+2, "PageOrientation:")) {
|
|
- sscanf(line+length("%%PageOrientation:"), "%s", text);
|
|
+ sscanf(line+length("%%PageOrientation:"), "%256s", text);
|
|
if (strcmp(text, "Portrait") == 0) {
|
|
doc->pages[doc->numpages].orientation = PORTRAIT;
|
|
} else if (strcmp(text, "Landscape") == 0) {
|
|
@@ -1114,7 +1134,7 @@ continuepage:
|
|
PS_free(cp);
|
|
} else if ((page_bb_set == NONE || page_bb_set == ATEND) &&
|
|
iscomment(line+2, "PageBoundingBox:")) {
|
|
- sscanf(line+length("%%PageBoundingBox:"), "%s", text);
|
|
+ sscanf(line+length("%%PageBoundingBox:"), "%256s", text);
|
|
if (strcmp(text, "(atend)") == 0) {
|
|
page_bb_set = ATEND;
|
|
} else {
|
|
@@ -1228,14 +1248,14 @@ continuepage:
|
|
}
|
|
} else if (orientation_set == ATEND &&
|
|
iscomment(line+2, "Orientation:")) {
|
|
- sscanf(line+length("%%Orientation:"), "%s", text);
|
|
+ sscanf(line+length("%%Orientation:"), "%256s", text);
|
|
if (strcmp(text, "Portrait") == 0) {
|
|
doc->orientation = PORTRAIT;
|
|
} else if (strcmp(text, "Landscape") == 0) {
|
|
doc->orientation = LANDSCAPE;
|
|
}
|
|
} else if (page_order_set == ATEND && iscomment(line+2, "PageOrder:")) {
|
|
- sscanf(line+length("%%PageOrder:"), "%s", text);
|
|
+ sscanf(line+length("%%PageOrder:"), "%256s", text);
|
|
if (strcmp(text, "Ascend") == 0) {
|
|
doc->pageorder = ASCEND;
|
|
} else if (strcmp(text, "Descend") == 0) {
|
|
@@ -1789,7 +1809,7 @@ static char * readline (fd, lineP, posit
|
|
INFMESSAGE(encountered "BeginData:")
|
|
if (FD_LINE_LEN > 100) FD_BUF[100] = '\0';
|
|
text[0] = '\0';
|
|
- if (sscanf(line+length("%%BeginData:"), "%d %*s %s", &num, text) >= 1) {
|
|
+ if (sscanf(line+length("%%BeginData:"), "%d %*s %100s", &num, text) >= 1) {
|
|
if (strcmp(text, "Lines") == 0) {
|
|
INFIMESSAGE(number of lines to skip:,num)
|
|
while (num) {
|
|
@@ -1888,7 +1908,7 @@ pscopyuntil(fd, to, begin, end, comment)
|
|
INFMESSAGE(encountered "BeginData:")
|
|
if (FD_LINE_LEN > 100) FD_BUF[100] = '\0';
|
|
text[0] = '\0';
|
|
- if (sscanf(line+length("%%BeginData:"), "%d %*s %s", &num, text) >= 1) {
|
|
+ if (sscanf(line+length("%%BeginData:"), "%d %*s %100s", &num, text) >= 1) {
|
|
if (strcmp(text, "Lines") == 0) {
|
|
INFIMESSAGE(number of lines:,num)
|
|
while (num) {
|
|
@@ -1985,7 +2005,7 @@ pscopydoc(dest_file,src_filename,d,pagel
|
|
PS_free(comment);
|
|
continue;
|
|
}
|
|
- sscanf(comment+length("%%Pages:"), "%s", text);
|
|
+ sscanf(comment+length("%%Pages:"), "%256s", text);
|
|
if (strcmp(text, "(atend)") == 0) {
|
|
fputs(comment, dest_file);
|
|
pages_atend = True;
|