You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
44 lines
1.5 KiB
44 lines
1.5 KiB
From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001 |
|
From: Ken Sharp <ken.sharp@artifex.com> |
|
Date: Fri, 24 Mar 2023 13:19:57 +0000 |
|
Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding |
|
|
|
Bug #706494 "Buffer Overflow in s_xBCPE_process" |
|
|
|
As described in detail in the bug report, if the write buffer is filled |
|
to one byte less than full, and we then try to write an escaped |
|
character, we overrun the buffer because we don't check before |
|
writing two bytes to it. |
|
|
|
This just checks if we have two bytes before starting to write an |
|
escaped character and exits if we don't (replacing the consumed byte |
|
of the input). |
|
|
|
Up for further discussion; why do we even permit a BCP encoding filter |
|
anyway ? I think we should remove this, at least when SAFER is true. |
|
--- |
|
base/sbcp.c | 10 +++++++++- |
|
1 file changed, 9 insertions(+), 1 deletion(-) |
|
|
|
diff --git a/base/sbcp.c b/base/sbcp.c |
|
index 979ae0992..47fc233ec 100644 |
|
--- a/base/sbcp.c |
|
+++ b/base/sbcp.c |
|
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr, |
|
byte ch = *++p; |
|
|
|
if (ch <= 31 && escaped[ch]) { |
|
+ /* Make sure we have space to store two characters in the write buffer, |
|
+ * if we don't then exit without consuming the input character, we'll process |
|
+ * that on the next time round. |
|
+ */ |
|
+ if (pw->limit - q < 2) { |
|
+ p--; |
|
+ break; |
|
+ } |
|
if (p == rlimit) { |
|
p--; |
|
break; |
|
-- |
|
2.39.2 |
|
|
|
|