Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package liblouis for openSUSE:Factory checked in at 2022-06-04 23:26:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/liblouis (Old) and /work/SRC/openSUSE:Factory/.liblouis.new.1548 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "liblouis" Sat Jun 4 23:26:43 2022 rev:48 rq:980585 version:3.21.0 Changes: -------- --- /work/SRC/openSUSE:Factory/liblouis/liblouis.changes 2022-04-13 21:04:09.132526199 +0200 +++ /work/SRC/openSUSE:Factory/.liblouis.new.1548/liblouis.changes 2022-06-04 23:26:45.108738570 +0200 @@ -1,0 +2,8 @@ +Thu Jun 2 17:49:07 UTC 2022 - Michael Gorse <mgo...@suse.com> + +- Add liblouis-CVE-2022-26981.patch: fix buffer overrun in + compilePassOpcode (boo#1197085 CVE-2022-26981). +- Add liblouis-CVE-2022-31783.patch: prevent an invalid memory + write in compileRule (boo#1200120 CVE-2022-31783). + +------------------------------------------------------------------- New: ---- liblouis-CVE-2022-26981.patch liblouis-CVE-2022-31783.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ liblouis.spec ++++++ --- /var/tmp/diff_new_pack.M0yStn/_old 2022-06-04 23:26:45.752739225 +0200 +++ /var/tmp/diff_new_pack.M0yStn/_new 2022-06-04 23:26:45.756739228 +0200 @@ -25,6 +25,10 @@ Group: Productivity/Other URL: http://liblouis.org/ Source0: https://github.com/liblouis/liblouis/releases/download/v%{version}/liblouis-%{version}.tar.gz +# PATCH-FIX-UPSTREAM liblouis-CVE-2022-26981.patch boo#1197085 mgo...@suse.com -- fix buffer overrun in compilePassOpcode. +Patch0: liblouis-CVE-2022-26981.patch +# PATCH-FIX-UPSTREAM liblouis-CVE-2022-31783.patch boo#1200120 mgo...@suse.com -- prevent an invalid memory write in compileRule. +Patch1: liblouis-CVE-2022-31783.patch BuildRequires: fdupes BuildRequires: libyaml-devel @@ -124,7 +128,7 @@ This subpackage contains the Python3 bindings. %prep -%setup -q +%autosetup -p1 %build %configure --disable-static --enable-ucs4 ++++++ liblouis-CVE-2022-26981.patch ++++++ >From 73751be7a5617bfff4a735ae095203a2d3ec50ef Mon Sep 17 00:00:00 2001 From: Martin Gieseking <martin.giesek...@uos.de> Date: Tue, 22 Mar 2022 15:31:04 +0100 Subject: [PATCH] Prevent writing past CharString memory in compilePassOpcode --- liblouis/compileTranslationTable.c | 207 ++++++++++++++++++++--------- 1 file changed, 146 insertions(+), 61 deletions(-) diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c index 40513ce6..482ff1a6 100644 --- a/liblouis/compileTranslationTable.c +++ b/liblouis/compileTranslationTable.c @@ -1843,6 +1843,17 @@ verifyStringOrDots(const FileInfo *file, TranslationTableOpcode opcode, int isSt return 0; } +static int +appendInstructionChar( + const FileInfo *file, widechar *passInstructions, int *passIC, widechar ch) { + if (*passIC >= MAXSTRING) { + compileError(file, "multipass operand too long"); + return 0; + } + passInstructions[(*passIC)++] = ch; + return 1; +} + static int compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int noback, int nofor, TranslationTableHeader **table) { @@ -1883,32 +1894,34 @@ compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int nobac passLine.chars[endTest] = pass_endTest; passLinepos = 0; while (passLinepos <= endTest) { - if (passIC >= MAXSTRING) { - compileError(file, "Test part in multipass operand too long"); - return 0; - } switch ((passSubOp = passLine.chars[passLinepos])) { case pass_lookback: - passInstructions[passIC++] = pass_lookback; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_lookback)) + return 0; passLinepos++; passGetNumber(&passLine, &passLinepos, &passHoldNumber); if (passHoldNumber == 0) passHoldNumber = 1; - passInstructions[passIC++] = passHoldNumber; + if (!appendInstructionChar(file, passInstructions, &passIC, passHoldNumber)) + return 0; break; case pass_not: - passInstructions[passIC++] = pass_not; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_not)) + return 0; passLinepos++; break; case pass_first: - passInstructions[passIC++] = pass_first; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_first)) + return 0; passLinepos++; break; case pass_last: - passInstructions[passIC++] = pass_last; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_last)) + return 0; passLinepos++; break; case pass_search: - passInstructions[passIC++] = pass_search; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_search)) + return 0; passLinepos++; break; case pass_string: @@ -1916,7 +1929,8 @@ compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int nobac return 0; } passLinepos++; - passInstructions[passIC++] = pass_string; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_string)) + return 0; passGetString(&passLine, &passLinepos, &passHoldString, file); if (passHoldString.length == 0) { compileError(file, "empty string in test part"); @@ -1928,7 +1942,8 @@ compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int nobac return 0; } passLinepos++; - passInstructions[passIC++] = pass_dots; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_dots)) + return 0; passGetDots(&passLine, &passLinepos, &passHoldString, file); if (passHoldString.length == 0) { compileError(file, "expected dot pattern after @ operand in test part"); @@ -1940,22 +1955,29 @@ compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int nobac file, "@ operand in test part of multipass operand too long"); return 0; } - passInstructions[passIC++] = passHoldString.length; + if (!appendInstructionChar( + file, passInstructions, &passIC, passHoldString.length)) + return 0; for (kk = 0; kk < passHoldString.length; kk++) { if (passIC >= MAXSTRING) { compileError( file, "@ operand in test part of multipass operand too long"); return 0; } - passInstructions[passIC++] = passHoldString.chars[kk]; + if (!appendInstructionChar( + file, passInstructions, &passIC, passHoldString.chars[kk])) + return 0; } break; case pass_startReplace: - passInstructions[passIC++] = pass_startReplace; + if (!appendInstructionChar( + file, passInstructions, &passIC, pass_startReplace)) + return 0; passLinepos++; break; case pass_endReplace: - passInstructions[passIC++] = pass_endReplace; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_endReplace)) + return 0; passLinepos++; break; case pass_variable: @@ -1964,26 +1986,37 @@ compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int nobac return 0; switch (passLine.chars[passLinepos]) { case pass_eq: - passInstructions[passIC++] = pass_eq; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_eq)) + return 0; goto doComp; case pass_lt: if (passLine.chars[passLinepos + 1] == pass_eq) { passLinepos++; - passInstructions[passIC++] = pass_lteq; - } else - passInstructions[passIC++] = pass_lt; + if (!appendInstructionChar( + file, passInstructions, &passIC, pass_lteq)) + return 0; + } else if (!appendInstructionChar( + file, passInstructions, &passIC, pass_lt)) + return 0; goto doComp; case pass_gt: if (passLine.chars[passLinepos + 1] == pass_eq) { passLinepos++; - passInstructions[passIC++] = pass_gteq; - } else - passInstructions[passIC++] = pass_gt; + if (!appendInstructionChar( + file, passInstructions, &passIC, pass_gteq)) + return 0; + } else if (!appendInstructionChar( + file, passInstructions, &passIC, pass_gt)) + return 0; doComp: - passInstructions[passIC++] = passHoldNumber; + if (!appendInstructionChar( + file, passInstructions, &passIC, passHoldNumber)) + return 0; passLinepos++; passGetNumber(&passLine, &passLinepos, &passHoldNumber); - passInstructions[passIC++] = passHoldNumber; + if (!appendInstructionChar( + file, passInstructions, &passIC, passHoldNumber)) + return 0; break; default: compileError(file, "incorrect comparison operator"); @@ -1995,27 +2028,40 @@ compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int nobac if (!passGetAttributes(&passLine, &passLinepos, &passAttributes, file)) return 0; insertAttributes: - passInstructions[passIC++] = pass_attributes; - passInstructions[passIC++] = (passAttributes >> 48) & 0xffff; - passInstructions[passIC++] = (passAttributes >> 32) & 0xffff; - passInstructions[passIC++] = (passAttributes >> 16) & 0xffff; - passInstructions[passIC++] = passAttributes & 0xffff; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_attributes)) + return 0; + if (!appendInstructionChar( + file, passInstructions, &passIC, (passAttributes >> 48) & 0xffff)) + return 0; + if (!appendInstructionChar( + file, passInstructions, &passIC, (passAttributes >> 32) & 0xffff)) + return 0; + if (!appendInstructionChar( + file, passInstructions, &passIC, (passAttributes >> 16) & 0xffff)) + return 0; + if (!appendInstructionChar( + file, passInstructions, &passIC, passAttributes & 0xffff)) + return 0; getRange: if (passLine.chars[passLinepos] == pass_until) { passLinepos++; - passInstructions[passIC++] = 1; - passInstructions[passIC++] = 0xffff; + if (!appendInstructionChar(file, passInstructions, &passIC, 1)) return 0; + if (!appendInstructionChar(file, passInstructions, &passIC, 0xffff)) + return 0; break; } passGetNumber(&passLine, &passLinepos, &passHoldNumber); if (passHoldNumber == 0) { - passHoldNumber = passInstructions[passIC++] = 1; - passInstructions[passIC++] = 1; /* This is not an error */ + if (!appendInstructionChar(file, passInstructions, &passIC, 1)) return 0; + if (!appendInstructionChar(file, passInstructions, &passIC, 1)) return 0; break; } - passInstructions[passIC++] = passHoldNumber; + if (!appendInstructionChar(file, passInstructions, &passIC, passHoldNumber)) + return 0; if (passLine.chars[passLinepos] != pass_hyphen) { - passInstructions[passIC++] = passHoldNumber; + if (!appendInstructionChar( + file, passInstructions, &passIC, passHoldNumber)) + return 0; break; } passLinepos++; @@ -2024,7 +2070,8 @@ compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int nobac compileError(file, "invalid range"); return 0; } - passInstructions[passIC++] = passHoldNumber; + if (!appendInstructionChar(file, passInstructions, &passIC, passHoldNumber)) + return 0; break; case pass_groupstart: case pass_groupend: { @@ -2034,9 +2081,14 @@ compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int nobac if (ruleOffset) rule = (TranslationTableRule *)&(*table)->ruleArea[ruleOffset]; if (rule && rule->opcode == CTO_Grouping) { - passInstructions[passIC++] = passSubOp; - passInstructions[passIC++] = ruleOffset >> 16; - passInstructions[passIC++] = ruleOffset & 0xffff; + if (!appendInstructionChar(file, passInstructions, &passIC, passSubOp)) + return 0; + if (!appendInstructionChar( + file, passInstructions, &passIC, ruleOffset >> 16)) + return 0; + if (!appendInstructionChar( + file, passInstructions, &passIC, ruleOffset & 0xffff)) + return 0; break; } else { compileError(file, "%s is not a grouping name", @@ -2059,9 +2111,14 @@ compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int nobac if (rule && (rule->opcode == CTO_SwapCc || rule->opcode == CTO_SwapCd || rule->opcode == CTO_SwapDd)) { - passInstructions[passIC++] = pass_swap; - passInstructions[passIC++] = ruleOffset >> 16; - passInstructions[passIC++] = ruleOffset & 0xffff; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_swap)) + return 0; + if (!appendInstructionChar( + file, passInstructions, &passIC, ruleOffset >> 16)) + return 0; + if (!appendInstructionChar( + file, passInstructions, &passIC, ruleOffset & 0xffff)) + return 0; goto getRange; } compileError(file, "%s is neither a class name nor a swap name.", @@ -2069,7 +2126,8 @@ compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int nobac return 0; } case pass_endTest: - passInstructions[passIC++] = pass_endTest; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_endTest)) + return 0; passLinepos++; break; default: @@ -2094,7 +2152,8 @@ compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int nobac return 0; } passLinepos++; - passInstructions[passIC++] = pass_string; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_string)) + return 0; passGetString(&passLine, &passLinepos, &passHoldString, file); goto actionDoCharsDots; case pass_dots: @@ -2103,7 +2162,8 @@ compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int nobac } passLinepos++; passGetDots(&passLine, &passLinepos, &passHoldString, file); - passInstructions[passIC++] = pass_dots; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_dots)) + return 0; if (passHoldString.length == 0) { compileError(file, "expected dot pattern after @ operand in action part"); return 0; @@ -2114,14 +2174,18 @@ compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int nobac file, "@ operand in action part of multipass operand too long"); return 0; } - passInstructions[passIC++] = passHoldString.length; + if (!appendInstructionChar( + file, passInstructions, &passIC, passHoldString.length)) + return 0; for (kk = 0; kk < passHoldString.length; kk++) { if (passIC >= MAXSTRING) { compileError(file, "@ operand in action part of multipass operand too long"); return 0; } - passInstructions[passIC++] = passHoldString.chars[kk]; + if (!appendInstructionChar( + file, passInstructions, &passIC, passHoldString.chars[kk])) + return 0; } break; case pass_variable: @@ -2130,16 +2194,25 @@ compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int nobac return 0; switch (passLine.chars[passLinepos]) { case pass_eq: - passInstructions[passIC++] = pass_eq; - passInstructions[passIC++] = passHoldNumber; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_eq)) + return 0; + if (!appendInstructionChar( + file, passInstructions, &passIC, passHoldNumber)) + return 0; passLinepos++; passGetNumber(&passLine, &passLinepos, &passHoldNumber); - passInstructions[passIC++] = passHoldNumber; + if (!appendInstructionChar( + file, passInstructions, &passIC, passHoldNumber)) + return 0; break; case pass_plus: case pass_hyphen: - passInstructions[passIC++] = passLine.chars[passLinepos++]; - passInstructions[passIC++] = passHoldNumber; + if (!appendInstructionChar(file, passInstructions, &passIC, + passLine.chars[passLinepos++])) + return 0; + if (!appendInstructionChar( + file, passInstructions, &passIC, passHoldNumber)) + return 0; break; default: compileError(file, "incorrect variable operator in action part"); @@ -2147,11 +2220,13 @@ compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int nobac } break; case pass_copy: - passInstructions[passIC++] = pass_copy; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_copy)) + return 0; passLinepos++; break; case pass_omit: - passInstructions[passIC++] = pass_omit; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_omit)) + return 0; passLinepos++; break; case pass_groupreplace: @@ -2163,9 +2238,14 @@ compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int nobac if (ruleOffset) rule = (TranslationTableRule *)&(*table)->ruleArea[ruleOffset]; if (rule && rule->opcode == CTO_Grouping) { - passInstructions[passIC++] = passSubOp; - passInstructions[passIC++] = ruleOffset >> 16; - passInstructions[passIC++] = ruleOffset & 0xffff; + if (!appendInstructionChar(file, passInstructions, &passIC, passSubOp)) + return 0; + if (!appendInstructionChar( + file, passInstructions, &passIC, ruleOffset >> 16)) + return 0; + if (!appendInstructionChar( + file, passInstructions, &passIC, ruleOffset & 0xffff)) + return 0; break; } compileError(file, "%s is not a grouping name", @@ -2181,9 +2261,14 @@ compilePassOpcode(const FileInfo *file, TranslationTableOpcode opcode, int nobac if (rule && (rule->opcode == CTO_SwapCc || rule->opcode == CTO_SwapCd || rule->opcode == CTO_SwapDd)) { - passInstructions[passIC++] = pass_swap; - passInstructions[passIC++] = ruleOffset >> 16; - passInstructions[passIC++] = ruleOffset & 0xffff; + if (!appendInstructionChar(file, passInstructions, &passIC, pass_swap)) + return 0; + if (!appendInstructionChar( + file, passInstructions, &passIC, ruleOffset >> 16)) + return 0; + if (!appendInstructionChar( + file, passInstructions, &passIC, ruleOffset & 0xffff)) + return 0; break; } compileError(file, "%s is not a swap name.", -- 2.36.1 ++++++ liblouis-CVE-2022-31783.patch ++++++ >From 2e4772befb2b1c37cb4b9d6572945115ee28630a Mon Sep 17 00:00:00 2001 From: Christian Egli <christian.e...@sbs.ch> Date: Wed, 25 May 2022 18:08:36 +0200 Subject: [PATCH] Prevent an invalid memory writes in compileRule Thanks to Han Zheng for reporting it Fixes #1214 --- liblouis/compileTranslationTable.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c index 482ff1a6..43785245 100644 --- a/liblouis/compileTranslationTable.c +++ b/liblouis/compileTranslationTable.c @@ -3821,12 +3821,14 @@ doOpcode: case CTO_SeqAfterExpression: if (!getRuleCharsText(file, &ruleChars)) return 0; - for ((*table)->seqAfterExpressionLength = 0; - (*table)->seqAfterExpressionLength < ruleChars.length; - (*table)->seqAfterExpressionLength++) - (*table)->seqAfterExpression[(*table)->seqAfterExpressionLength] = - ruleChars.chars[(*table)->seqAfterExpressionLength]; - (*table)->seqAfterExpression[(*table)->seqAfterExpressionLength] = 0; + if ((ruleChars.length + 1) > SEQPATTERNSIZE) { + compileError(file, "More than %d characters", SEQPATTERNSIZE); + return 0; + } + for (int k = 0; k < ruleChars.length; k++) + (*table)->seqAfterExpression[k] = ruleChars.chars[k]; + (*table)->seqAfterExpression[ruleChars.length] = 0; + (*table)->seqAfterExpressionLength = ruleChars.length; return 1; case CTO_CapsModeChars: -- 2.36.1
