forked from pool/libredwg
Jan Engelhardt
998b8e2de5
0001-fix-obj_flush_hdlstream-GH-497.patch [CVE-2022-35164] [boo#1202553] OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libredwg?expand=0&rev=35
82 lines
2.7 KiB
Diff
82 lines
2.7 KiB
Diff
From bb97cadde05277f089b730a7aff4cffa4c9f8afa Mon Sep 17 00:00:00 2001
|
|
From: Reini Urban <rurban@cpan.org>
|
|
Date: Mon, 15 Aug 2022 10:23:08 +0200
|
|
Subject: [PATCH] bits: change bit_copy_chain
|
|
|
|
copy only the rest of the 2nd dat, not the whole.
|
|
and don't reset it to 0, keep its position.
|
|
---
|
|
src/bits.c | 14 +++++++-------
|
|
src/encode.c | 5 ++++-
|
|
2 files changed, 11 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/src/bits.c b/src/bits.c
|
|
index a7a8ca98..4c9ca878 100644
|
|
--- a/src/bits.c
|
|
+++ b/src/bits.c
|
|
@@ -3353,25 +3353,25 @@ bool does_cross_unicode_datversion (Bit_Chain *restrict dat)
|
|
return false;
|
|
}
|
|
|
|
-/* Copy the whole content of tmp_data to dat, and reset tmp_dat.
|
|
+/* Copy the rest content of tmp_data to dat.
|
|
WARN: This might change dat->chain */
|
|
void bit_copy_chain (Bit_Chain *restrict dat, Bit_Chain *restrict tmp_dat)
|
|
{
|
|
unsigned long i;
|
|
- unsigned long dat_bits = bit_position (tmp_dat);
|
|
- unsigned long size = tmp_dat->byte;
|
|
+ unsigned long size = tmp_dat->size - tmp_dat->byte;
|
|
while (dat->byte + size > dat->size)
|
|
bit_chain_alloc (dat);
|
|
// check if dat is byte aligned, tmp_dat always is. we can use memcpy then.
|
|
- if (!dat->bit)
|
|
+ if (!dat->bit && !tmp_dat->bit)
|
|
{
|
|
assert(!tmp_dat->bit);
|
|
- memcpy (&dat->chain[dat->byte], &tmp_dat->chain[0], size);
|
|
+ memcpy (&dat->chain[dat->byte], &tmp_dat->chain[tmp_dat->byte], size);
|
|
dat->byte += size;
|
|
}
|
|
else
|
|
{
|
|
- bit_set_position (tmp_dat, 0);
|
|
+ unsigned long dat_bits = bit_position (tmp_dat);
|
|
+ //bit_set_position (tmp_dat, 0);
|
|
for (i = 0; i < size; i++)
|
|
{
|
|
bit_write_RC (dat, bit_read_RC (tmp_dat));
|
|
@@ -3380,6 +3380,6 @@ void bit_copy_chain (Bit_Chain *restrict dat, Bit_Chain *restrict tmp_dat)
|
|
{
|
|
bit_write_B (dat, bit_read_B (tmp_dat));
|
|
}
|
|
+ bit_set_position (tmp_dat, dat_bits);
|
|
}
|
|
- bit_set_position (tmp_dat, 0);
|
|
}
|
|
diff --git a/src/encode.c b/src/encode.c
|
|
index d533e1fa..d4a63e16 100644
|
|
--- a/src/encode.c
|
|
+++ b/src/encode.c
|
|
@@ -846,13 +846,16 @@ obj_flush_hdlstream (Dwg_Object *restrict obj, Bit_Chain *restrict dat,
|
|
{
|
|
unsigned long datpos = bit_position (dat);
|
|
unsigned long hdlpos = bit_position (hdl_dat);
|
|
+ unsigned long hdlsize = (hdl_dat->size * 8) - hdlpos;
|
|
unsigned long objpos = obj->address * 8;
|
|
#if 0
|
|
unsigned char* oldchain = dat->chain;
|
|
#endif
|
|
- LOG_TRACE ("Flush handle stream of size %lu (@%lu.%u) to @%lu.%lu\n", hdlpos,
|
|
+ LOG_TRACE ("Flush handle stream of %lu bits (@%lu.%u) to @%lu.%lu\n", hdlsize,
|
|
hdl_dat->byte, hdl_dat->bit, (datpos - objpos) / 8,
|
|
(datpos - objpos) % 8);
|
|
+ if (hdlpos > 10000U)
|
|
+ LOG_ERROR("Possible hdl_data overflow")
|
|
// This might change dat->chain
|
|
bit_copy_chain (dat, hdl_dat);
|
|
}
|
|
--
|
|
2.37.1
|
|
|