fe830ffd8d
* gnu/packages/video.scm (libcaca)[source]: Add patches. * gnu/packages/patches/libcaca-CVE-2021-3410-pt1.patch, gnu/packages/patches/libcaca-CVE-2021-3410-pt2.patch: New files. * gnu/local.mk (dist_patch_DATA): Register them.
137 lines
5 KiB
Diff
137 lines
5 KiB
Diff
https://github.com/cacalabs/libcaca/commit/46b4ea7cea72d6b3ffe65d33e604b1774dcc2bbd.patch
|
|
|
|
From 46b4ea7cea72d6b3ffe65d33e604b1774dcc2bbd Mon Sep 17 00:00:00 2001
|
|
From: Sam Hocevar <sam@hocevar.net>
|
|
Date: Fri, 26 Feb 2021 10:55:38 +0100
|
|
Subject: [PATCH] canvas: fix an integer overflow in caca_resize().
|
|
|
|
Fixes: #52 (CVE-2021-3410)
|
|
---
|
|
caca/canvas.c | 13 +++++++++++--
|
|
caca/codec/import.c | 1 +
|
|
caca/codec/text.c | 21 ++++++++++++++-------
|
|
3 files changed, 26 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/caca/canvas.c b/caca/canvas.c
|
|
index 3fdd37ae..d0715392 100644
|
|
--- a/caca/canvas.c
|
|
+++ b/caca/canvas.c
|
|
@@ -45,6 +45,7 @@ static int caca_resize(caca_canvas_t *, int, int);
|
|
*
|
|
* If an error occurs, NULL is returned and \b errno is set accordingly:
|
|
* - \c EINVAL Specified width or height is invalid.
|
|
+ * - \c EOVERFLOW Specified width and height overflowed.
|
|
* - \c ENOMEM Not enough memory for the requested canvas size.
|
|
*
|
|
* \param width The desired canvas width
|
|
@@ -200,6 +201,7 @@ int caca_unmanage_canvas(caca_canvas_t *cv, int (*callback)(void *), void *p)
|
|
*
|
|
* If an error occurs, -1 is returned and \b errno is set accordingly:
|
|
* - \c EINVAL Specified width or height is invalid.
|
|
+ * - \c EOVERFLOW Specified width and height overflowed.
|
|
* - \c EBUSY The canvas is in use by a display driver and cannot be resized.
|
|
* - \c ENOMEM Not enough memory for the requested canvas size. If this
|
|
* happens, the canvas handle becomes invalid and should not be used.
|
|
@@ -363,7 +365,7 @@ int caca_rand(int min, int max)
|
|
|
|
int caca_resize(caca_canvas_t *cv, int width, int height)
|
|
{
|
|
- int x, y, f, old_width, old_height, new_size, old_size;
|
|
+ int x, y, f, old_width, old_height, old_size;
|
|
|
|
old_width = cv->width;
|
|
old_height = cv->height;
|
|
@@ -375,7 +377,14 @@ int caca_resize(caca_canvas_t *cv, int width, int height)
|
|
* dirty rectangle handling */
|
|
cv->width = width;
|
|
cv->height = height;
|
|
- new_size = width * height;
|
|
+ int new_size = width * height;
|
|
+
|
|
+ /* Check for overflow */
|
|
+ if (new_size / width != height)
|
|
+ {
|
|
+ seterrno(EOVERFLOW);
|
|
+ return -1;
|
|
+ }
|
|
|
|
/* If width or height is smaller (or both), we have the opportunity to
|
|
* reduce or even remove dirty rectangles */
|
|
diff --git a/caca/codec/import.c b/caca/codec/import.c
|
|
index 8836fd08..2dafe3cf 100644
|
|
--- a/caca/codec/import.c
|
|
+++ b/caca/codec/import.c
|
|
@@ -61,6 +61,7 @@ static ssize_t import_caca(caca_canvas_t *, void const *, size_t);
|
|
*
|
|
* If an error occurs, -1 is returned and \b errno is set accordingly:
|
|
* - \c ENOMEM Not enough memory to allocate canvas.
|
|
+ * - \c EOVERFLOW Importing data caused a value overflow.
|
|
* - \c EINVAL Invalid format requested.
|
|
*
|
|
* \param cv A libcaca canvas in which to import the file.
|
|
diff --git a/caca/codec/text.c b/caca/codec/text.c
|
|
index 358b7224..94a2a4d7 100644
|
|
--- a/caca/codec/text.c
|
|
+++ b/caca/codec/text.c
|
|
@@ -46,7 +46,7 @@ ssize_t _import_text(caca_canvas_t *cv, void const *data, size_t size)
|
|
char const *text = (char const *)data;
|
|
unsigned int width = 0, height = 0, x = 0, y = 0, i;
|
|
|
|
- caca_set_canvas_size(cv, width, height);
|
|
+ caca_set_canvas_size(cv, 0, 0);
|
|
|
|
for(i = 0; i < size; i++)
|
|
{
|
|
@@ -70,15 +70,19 @@ ssize_t _import_text(caca_canvas_t *cv, void const *data, size_t size)
|
|
if(y >= height)
|
|
height = y + 1;
|
|
|
|
- caca_set_canvas_size(cv, width, height);
|
|
+ if (caca_set_canvas_size(cv, width, height) < 0)
|
|
+ return -1;
|
|
}
|
|
|
|
caca_put_char(cv, x, y, ch);
|
|
x++;
|
|
}
|
|
|
|
- if(y > height)
|
|
- caca_set_canvas_size(cv, width, height = y);
|
|
+ if (y > height)
|
|
+ {
|
|
+ if (caca_set_canvas_size(cv, width, height = y) < 0)
|
|
+ return -1;
|
|
+ }
|
|
|
|
return (ssize_t)size;
|
|
}
|
|
@@ -431,7 +435,8 @@ ssize_t _import_ansi(caca_canvas_t *cv, void const *data, size_t size, int utf8)
|
|
{
|
|
savedattr = caca_get_attr(cv, -1, -1);
|
|
caca_set_attr(cv, im.clearattr);
|
|
- caca_set_canvas_size(cv, width = x + wch, height);
|
|
+ if (caca_set_canvas_size(cv, width = x + wch, height) < 0)
|
|
+ return -1;
|
|
caca_set_attr(cv, savedattr);
|
|
}
|
|
else
|
|
@@ -448,7 +453,8 @@ ssize_t _import_ansi(caca_canvas_t *cv, void const *data, size_t size, int utf8)
|
|
caca_set_attr(cv, im.clearattr);
|
|
if(growy)
|
|
{
|
|
- caca_set_canvas_size(cv, width, height = y + 1);
|
|
+ if (caca_set_canvas_size(cv, width, height = y + 1) < 0)
|
|
+ return -1;
|
|
}
|
|
else
|
|
{
|
|
@@ -480,7 +486,8 @@ ssize_t _import_ansi(caca_canvas_t *cv, void const *data, size_t size, int utf8)
|
|
{
|
|
savedattr = caca_get_attr(cv, -1, -1);
|
|
caca_set_attr(cv, im.clearattr);
|
|
- caca_set_canvas_size(cv, width, height = y);
|
|
+ if (caca_set_canvas_size(cv, width, height = y))
|
|
+ return -1;
|
|
caca_set_attr(cv, savedattr);
|
|
}
|
|
|