Package: doxygen Version: 1.4.6-2 Severity: normal Tags: patch Hi,
Attached is the diff for my doxygen 1.4.6-2.1 NMU.
diff -u doxygen-1.4.6/debian/changelog doxygen-1.4.6/debian/changelog --- doxygen-1.4.6/debian/changelog +++ doxygen-1.4.6/debian/changelog @@ -1,3 +1,11 @@ +doxygen (1.4.6-2.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix buffer overflows in QCString::sprintf() and SCString::sprintf(). + (Closes: #357722) + + -- Steinar H. Gunderson <[EMAIL PROTECTED]> Sat, 3 Jun 2006 13:28:13 +0200 + doxygen (1.4.6-2) unstable; urgency=low * Fix build error with g++-4.1 (closes: #358208). only in patch2: unchanged: --- doxygen-1.4.6.orig/qtools/qcstring.cpp +++ doxygen-1.4.6/qtools/qcstring.cpp @@ -577,43 +577,42 @@ /*! - Implemented as a call to the native vsprintf() (see your C-library + Implemented as a call to the native vsnprintf() (see your C-library manual). - If your string is shorter than 256 characters, this sprintf() calls - resize(256) to decrease the chance of memory corruption. The string is - resized back to its natural length before sprintf() returns. - - Example: - \code - QCString s; - s.sprintf( "%d - %s", 1, "first" ); // result < 256 chars - - QCString big( 25000 ); // very long string - big.sprintf( "%d - %s", 2, longString ); // result < 25000 chars - \endcode - - \warning All vsprintf() implementations will write past the end of - the target string (*this) if the format specification and arguments - happen to be longer than the target string, and some will also fail - if the target string is longer than some arbitrary implementation - limit. - - Giving user-supplied arguments to sprintf() is begging for trouble. - Sooner or later someone \e will paste a 3000-character line into - your application. + This function takes some special care to avoid overflowing the buffer. + It uses vsnprintf() instead of vsprintf(), and if the entire string was + used, it increases the buffer length successively until there is enough + room. The string is resized back to its natural length before sprintf() + returns. */ QCString &QCString::sprintf( const char *format, ... ) { detach(); - va_list ap; - va_start( ap, format ); - if ( size() < 256 ) - QByteArray::resize( 256 ); // make string big enough - vsprintf( data(), format, ap ); + + bool finish; + if ( size() < 256 ) { // useful starting point + QByteArray::resize( 256 ); + } + + do { + va_list ap; + va_start( ap, format ); + int ret = vsnprintf( data(), size(), format, ap ); + va_end( ap ); + + finish = false; + if ( ret >= size() ) { + QByteArray::resize( ret + 1 ); + } else if ( ret == -1 ) { // glibc pre-2.1 + QByteArray::resize( size() * 2 ); + } else { + finish = true; + } + } while ( !finish ); + resize( qstrlen(data()) + 1 ); // truncate - va_end( ap ); return *this; } only in patch2: unchanged: --- doxygen-1.4.6.orig/qtools/scstring.cpp +++ doxygen-1.4.6/qtools/scstring.cpp @@ -130,20 +130,41 @@ SCString &SCString::sprintf( const char *format, ... ) { - va_list ap; - va_start( ap, format ); - uint l = length(); - const uint minlen=256; + int l = length(); + const int minlen=256; + bool finish; + if (l<minlen) { if (m_data) m_data = (char *)realloc(m_data,minlen); else m_data = (char *)malloc(minlen); + l = minlen; } - vsprintf( m_data, format, ap ); - resize( qstrlen(m_data) + 1 ); // truncate - va_end( ap ); + + do { + va_list ap; + va_start(ap, format); + int ret = vsnprintf(m_data, l, format, ap); + va_end(ap); + + finish = false; + if (ret >= l) + { + l = ret + 1; + resize(l); + } + else if (ret == -1) // glibc pre-2.1 + { + l *= 2; + resize(l); + } else { + finish = true; + } + } while ( !finish ); + + resize( qstrlen(m_data) + 1 ); // truncate return *this; }