Control: tags 1060407 + patch
Control: tags 1060407 + pending
Dear maintainer,
I've prepared an NMU for gtkwave (versioned as 3.3.118-0.1) and uploaded
it to DELAYED/2. Please feel free to tell me if I should cancel it.
cu
Adrian
diffstat for gtkwave-3.3.116 gtkwave-3.3.118
ChangeLog | 44 ++++
LICENSE.TXT | 2
configure | 20 +-
configure.ac | 2
contrib/bundle_for_osx/Info-gtkwave.plist | 6
contrib/xml2stems/xml2stems.cc | 20 +-
debian/changelog | 30 +++
share/appdata/Makefile.am | 2
share/appdata/Makefile.in | 2
share/appdata/gtkwave.appdata.xml | 20 --
share/appdata/io.github.gtkwave.GTKWave.metainfo.xml | 143 ++++++++++++++
src/debug.c | 39 +++
src/debug.h | 3
src/extload.c | 6
src/globals.h | 2
src/helpers/evcd2vcd.c | 14 +
src/helpers/fst/fstapi.c | 189 +++++++++++++++++--
src/helpers/lxt2_read.c | 96 +++++++++
src/helpers/vcd2fst.c | 47 ++++
src/helpers/vcd2lxt.c | 69 ++++++
src/helpers/vcd2lxt2.c | 69 ++++++
src/helpers/vcd2vzt.c | 69 ++++++
src/helpers/vzt_read.c | 109 ++++++++++
src/libghw.c | 3
src/liblzma/LzmaLib.c | 37 +++
src/main.c | 4
src/ptranslate.c | 2
src/savefile.c | 4
src/ttranslate.c | 2
src/vcd.c | 17 +
src/vcd_partial.c | 17 +
src/vcd_recoder.c | 15 +
32 files changed, 1000 insertions(+), 104 deletions(-)
diff -Nru gtkwave-3.3.116/ChangeLog gtkwave-3.3.118/ChangeLog
--- gtkwave-3.3.116/ChangeLog 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/ChangeLog 2023-12-31 23:11:04.000000000 +0200
@@ -1843,3 +1843,47 @@
Add GDK_WINDOWING_WAYLAND check for gdkwayland.h header usage.
Changed sprintf to snprintf in fstapi.c.
Fix init crash on show_base_symbols enabled.
+3.3.117 08aug23 Fix stems reader processing code broken in 3.3.114.
+3.3.118 17dec23 Update xml2stems to handle newer "loc" vs "fl" xml tags.
+ Change preg_regex_c_1 decl to use regex_t* as datatype.
+ Move gtkwave.appdata.xml to
+ io.github.gtkwave.GTKWave.metainfo.xml.
+ Fixed popen security advisories:
+ TALOS-2023-1786
+ Fixed FST security advisories:
+ TALOS-2023-1777
+ TALOS-2023-1783
+ TALOS-2023-1785
+ TALOS-2023-1789
+ TALOS-2023-1790
+ TALOS-2023-1791
+ TALOS-2023-1792
+ TALOS-2023-1793
+ TALOS-2023-1797
+ TALOS-2023-1798
+ Fixed evcd2vcd security advisories:
+ TALOS-2023-1803
+ Fixed VCD security advisories:
+ TALOS-2023-1804
+ TALOS-2023-1805
+ TALOS-2023-1806
+ TALOS-2023-1807
+ Fixed VZT security advisories:
+ TALOS-2023-1810
+ TALOS-2023-1811
+ TALOS-2023-1812
+ TALOS-2023-1813
+ TALOS-2023-1814
+ TALOS-2023-1815
+ TALOS-2023-1816
+ TALOS-2023-1817
+ Fixed LXT2 security advisories:
+ TALOS-2023-1818
+ TALOS-2023-1819
+ TALOS-2023-1820
+ TALOS-2023-1821
+ TALOS-2023-1822
+ TALOS-2023-1823
+ TALOS-2023-1824
+ TALOS-2023-1826
+ TALOS-2023-1827
diff -Nru gtkwave-3.3.116/configure gtkwave-3.3.118/configure
--- gtkwave-3.3.116/configure 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/configure 2023-12-31 23:11:03.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for gtkwave-gtk3 3.3.116.
+# Generated by GNU Autoconf 2.69 for gtkwave-gtk3 3.3.118.
#
# Report bugs to <byb...@rocketmail.com>.
#
@@ -580,8 +580,8 @@
# Identity of this package.
PACKAGE_NAME='gtkwave-gtk3'
PACKAGE_TARNAME='gtkwave-gtk3'
-PACKAGE_VERSION='3.3.116'
-PACKAGE_STRING='gtkwave-gtk3 3.3.116'
+PACKAGE_VERSION='3.3.118'
+PACKAGE_STRING='gtkwave-gtk3 3.3.118'
PACKAGE_BUGREPORT='byb...@rocketmail.com'
PACKAGE_URL=''
@@ -1395,7 +1395,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures gtkwave-gtk3 3.3.116 to adapt to many kinds of systems.
+\`configure' configures gtkwave-gtk3 3.3.118 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1461,7 +1461,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of gtkwave-gtk3 3.3.116:";;
+ short | recursive ) echo "Configuration of gtkwave-gtk3 3.3.118:";;
esac
cat <<\_ACEOF
@@ -1609,7 +1609,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-gtkwave-gtk3 configure 3.3.116
+gtkwave-gtk3 configure 3.3.118
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2253,7 +2253,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by gtkwave-gtk3 $as_me 3.3.116, which was
+It was created by gtkwave-gtk3 $as_me 3.3.118, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3120,7 +3120,7 @@
# Define the identity of the package.
PACKAGE='gtkwave-gtk3'
- VERSION='3.3.116'
+ VERSION='3.3.118'
cat >>confdefs.h <<_ACEOF
@@ -11568,7 +11568,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by gtkwave-gtk3 $as_me 3.3.116, which was
+This file was extended by gtkwave-gtk3 $as_me 3.3.118, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -11634,7 +11634,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-gtkwave-gtk3 config.status 3.3.116
+gtkwave-gtk3 config.status 3.3.118
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -Nru gtkwave-3.3.116/configure.ac gtkwave-3.3.118/configure.ac
--- gtkwave-3.3.116/configure.ac 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/configure.ac 2023-12-31 23:11:03.000000000 +0200
@@ -2,7 +2,7 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.59)
-AC_INIT(gtkwave-gtk3, 3.3.116, byb...@rocketmail.com)
+AC_INIT(gtkwave-gtk3, 3.3.118, byb...@rocketmail.com)
AC_CONFIG_SRCDIR([src/vcd.c])
AM_INIT_AUTOMAKE
AC_CONFIG_HEADER([config.h])
diff -Nru gtkwave-3.3.116/contrib/bundle_for_osx/Info-gtkwave.plist gtkwave-3.3.118/contrib/bundle_for_osx/Info-gtkwave.plist
--- gtkwave-3.3.116/contrib/bundle_for_osx/Info-gtkwave.plist 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/contrib/bundle_for_osx/Info-gtkwave.plist 2023-12-31 23:11:03.000000000 +0200
@@ -8,7 +8,7 @@
<key>CFBundleExecutable</key>
<string>gtkwave</string>
<key>CFBundleGetInfoString</key>
- <string>3.3.116, (C) 1999-2023 Tony Bybell http://gtkwave.sourceforge.net</string>
+ <string>3.3.118, (C) 1999-2023 Tony Bybell http://gtkwave.sourceforge.net</string>
<key>CFBundleIconFile</key>
<string>gtkwave.icns</string>
<key>CFBundleIdentifier</key>
@@ -18,11 +18,11 @@
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleShortVersionString</key>
- <string>3.3.116</string>
+ <string>3.3.118</string>
<key>CFBundleSignature</key>
<string>????</string>
<key>CFBundleVersion</key>
- <string>3.3.116</string>
+ <string>3.3.118</string>
<key>NSHumanReadableCopyright</key>
<string>Copyright 1999 - 2023 Tony Bybell, GNU General Public License.</string>
<key>LSMinimumSystemVersion</key>
diff -Nru gtkwave-3.3.116/contrib/xml2stems/xml2stems.cc gtkwave-3.3.118/contrib/xml2stems/xml2stems.cc
--- gtkwave-3.3.116/contrib/xml2stems/xml2stems.cc 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/contrib/xml2stems/xml2stems.cc 2023-12-31 23:11:03.000000000 +0200
@@ -138,6 +138,9 @@
{
const char *nam = (*xmt)[string("name")].c_str();
const char *fl = (*xmt)[string("fl")].c_str();
+ const char *loc = (*xmt)[string("loc")].c_str();
+ int loc_offset = 0;
+ if(!fl || !strlen(fl)) { fl = loc; loc_offset = 1; }
if(!oneline)
{
@@ -148,7 +151,8 @@
const char *s = fl; char *d = fl_dup;
while(isalpha(*s)) { *(d++) = *(s++); }
*d = 0;
-
+
+ s+=loc_offset;
unsigned int lineno = atoi(s);
const char *mnam = fId[fl_dup].c_str();
@@ -194,6 +198,9 @@
const char *fl = (*xmt)[string("fl")].c_str();
const char *nam = (*xmt)[string("name")].c_str();
const char *tms = (*xmt)[string("topModule")].c_str();
+ const char *loc = (*xmt)[string("loc")].c_str();
+ int loc_offset = 0;
+ if(!fl || !strlen(fl)) { fl = loc; loc_offset = 1; }
if(fl && nam && tms)
{
@@ -205,7 +212,8 @@
const char *s = fl; char *d = fl_dup;
while(isalpha(*s)) { *(d++) = *(s++); }
*d = 0;
-
+
+ s += loc_offset;
unsigned int lineno = atoi(s);
const char *mnam = fId[fl_dup].c_str();
fprintf(fo, "++ module %s file %s lines %d - %d\n", nam, mnam, lineno, lineno); /* don't need line number it truly ends at */
@@ -233,7 +241,7 @@
func_nesting_cnt = (!endtag) ? (func_nesting_cnt+1) : (func_nesting_cnt-1);
}
else
- if(!strncmp(pnt, "files", 5))
+ if((!strncmp(pnt, "files", 5)) || (!strncmp(pnt, "module_files", 12)))
{
in_files = (!endtag);
}
@@ -293,7 +301,10 @@
{
const char *fl = (*xmt)[string("fl")].c_str();
const char *nam = (*xmt)[string("name")].c_str();
-
+ const char *loc = (*xmt)[string("loc")].c_str();
+ int loc_offset = 0;
+ if(!fl || !strlen(fl)) { fl = loc; loc_offset = 1; }
+
if(fl && nam)
{
mId.push(nam);
@@ -303,6 +314,7 @@
while(isalpha(*s)) { *(d++) = *(s++); }
*d = 0;
+ s += loc_offset;
unsigned int lineno = atoi(s);
const char *mnam = fId[fl_dup].c_str();
fprintf(fo, "++ udp %s file %s lines %d - %d\n", nam, mnam, lineno, lineno); /* don't need line number it truly ends at */
diff -Nru gtkwave-3.3.116/debian/changelog gtkwave-3.3.118/debian/changelog
--- gtkwave-3.3.116/debian/changelog 2023-07-29 06:35:40.000000000 +0300
+++ gtkwave-3.3.118/debian/changelog 2024-03-23 21:54:30.000000000 +0200
@@ -1,3 +1,33 @@
+gtkwave (3.3.118-0.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * New upstream release.
+ - Fixes multiple vulnerabilities:
+ CVE-2023-32650, CVE-2023-34087, CVE-2023-34436, CVE-2023-35004,
+ CVE-2023-35057, CVE-2023-35128, CVE-2023-35702, CVE-2023-35703,
+ CVE-2023-35704, CVE-2023-35955, CVE-2023-35956, CVE-2023-35957,
+ CVE-2023-35958, CVE-2023-35959, CVE-2023-35960, CVE-2023-35961,
+ CVE-2023-35962, CVE-2023-35963, CVE-2023-35964, CVE-2023-35969,
+ CVE-2023-35970, CVE-2023-35989, CVE-2023-35992, CVE-2023-35994,
+ CVE-2023-35995, CVE-2023-35996, CVE-2023-35997, CVE-2023-36746,
+ CVE-2023-36747, CVE-2023-36861, CVE-2023-36864, CVE-2023-36915,
+ CVE-2023-36916, CVE-2023-37282, CVE-2023-37416, CVE-2023-37417,
+ CVE-2023-37418, CVE-2023-37419, CVE-2023-37420, CVE-2023-37442,
+ CVE-2023-37443, CVE-2023-37444, CVE-2023-37445, CVE-2023-37446,
+ CVE-2023-37447, CVE-2023-37573, CVE-2023-37574, CVE-2023-37575,
+ CVE-2023-37576, CVE-2023-37577, CVE-2023-37578, CVE-2023-37921,
+ CVE-2023-37922, CVE-2023-37923, CVE-2023-38583, CVE-2023-38618,
+ CVE-2023-38619, CVE-2023-38620, CVE-2023-38621, CVE-2023-38622,
+ CVE-2023-38623, CVE-2023-38648, CVE-2023-38649, CVE-2023-38650,
+ CVE-2023-38651, CVE-2023-38652, CVE-2023-38653, CVE-2023-38657,
+ CVE-2023-39234, CVE-2023-39235, CVE-2023-39270, CVE-2023-39271,
+ CVE-2023-39272, CVE-2023-39273, CVE-2023-39274, CVE-2023-39275,
+ CVE-2023-39316, CVE-2023-39317, CVE-2023-39413, CVE-2023-39414,
+ CVE-2023-39443, CVE-2023-39444
+ (Closes: #1060407)
+
+ -- Adrian Bunk <b...@debian.org> Sat, 23 Mar 2024 21:54:30 +0200
+
gtkwave (3.3.116-1) unstable; urgency=medium
* New upstream version 3.3.116
diff -Nru gtkwave-3.3.116/LICENSE.TXT gtkwave-3.3.118/LICENSE.TXT
--- gtkwave-3.3.116/LICENSE.TXT 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/LICENSE.TXT 2023-12-31 23:11:03.000000000 +0200
@@ -1,6 +1,6 @@
##########################################################################
-GTKWave 3.3.116 Wave Viewer is Copyright (C) 1999-2023 Tony Bybell.
+GTKWave 3.3.118 Wave Viewer is Copyright (C) 1999-2023 Tony Bybell.
Portions of GTKWave are Copyright (C) 1999-2023 Udi Finkelstein.
Context support is Copyright (C) 2007-2023 Kermin Elliott Fleming.
Trace group support is Copyright (C) 2009-2023 Donald Baltus.
diff -Nru gtkwave-3.3.116/share/appdata/gtkwave.appdata.xml gtkwave-3.3.118/share/appdata/gtkwave.appdata.xml
--- gtkwave-3.3.116/share/appdata/gtkwave.appdata.xml 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/share/appdata/gtkwave.appdata.xml 1970-01-01 02:00:00.000000000 +0200
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Copyright 2014 Tony Bybell <byb...@rocketmail.com> -->
-<application>
-<id type="desktop">gtkwave.desktop</id>
-<metadata_license>CC0-1.0</metadata_license>
-<summary>Electronic waveform viewer for viewing simulation results</summary>
-<description>
-<p>
-GTKWave is a fully featured GTK+ based waveform viewer which reads FST, LXT, LXT2, VZT, and GHW files as well as standard Verilog VCD/EVCD files and allows their viewing.
-</p>
-<p>
-The viewer supports both post-mortem viewing of VCD files and interactive viewing of VCD data. Tcl scripting and callback capability allow for remote control by other applications.
-</p>
-</description>
-<url type="homepage">http://gtkwave.sourceforge.net/</url>
-<screenshots>
-<screenshot type="default">http://gtkwave.sourceforge.net/gtkwave-appdata.png</screenshot>
-</screenshots>
-<updatecontact>byb...@rocketmail.com</updatecontact>
-</application>
diff -Nru gtkwave-3.3.116/share/appdata/io.github.gtkwave.GTKWave.metainfo.xml gtkwave-3.3.118/share/appdata/io.github.gtkwave.GTKWave.metainfo.xml
--- gtkwave-3.3.116/share/appdata/io.github.gtkwave.GTKWave.metainfo.xml 1970-01-01 02:00:00.000000000 +0200
+++ gtkwave-3.3.118/share/appdata/io.github.gtkwave.GTKWave.metainfo.xml 2023-12-31 23:11:03.000000000 +0200
@@ -0,0 +1,143 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Copyright 2023 Tony Bybell <byb...@rocketmail.com> -->
+<component type="desktop">
+ <id>io.github.gtkwave.GTKWave</id>
+ <metadata_license>CC0-1.0</metadata_license>
+ <project_license>GPL-2.0-or-later</project_license>
+ <name>GTKWave</name>
+ <developer_name>Tony Bybell</developer_name>
+ <update_contact>byb...@rocketmail.com</update_contact>
+ <summary>Electronic waveform viewer for viewing simulation results</summary>
+ <description>
+ <p>
+ GTKWave is a fully featured GTK+ based waveform viewer which reads FST and
+ GHW files as well as standard Verilog VCD/EVCD files and allows their viewing.
+ </p>
+ <p>
+ The viewer supports both post-mortem viewing of VCD files and interactive viewing of VCD data.
+ Tcl scripting and callback capability allow for remote control by other applications.
+ </p>
+ </description>
+
+ <url type="homepage">http://gtkwave.sourceforge.net/</url>
+ <url type="bugtracker">https://github.com/gtkwave/gtkwave/issues</url>
+ <url type="help">https://github.com/gtkwave/gtkwave</url>
+
+ <screenshots>
+ <screenshot type="default">
+ <image>http://gtkwave.sourceforge.net/gtkwave-appdata.png</image>
+ </screenshot>
+ </screenshots>
+
+ <content_rating type="oars-1.0" />
+
+ <releases>
+ <release version="3.3.118" date="2023-10-20">
+ <description>
+ <p>
+ Changes in 3.3.118:
+ </p>
+ <ul>
+ <li>Update xml2stems to handle newer "loc" vs "fl" xml tags</li>
+ <li>Change preg_regex_c_1 decl to use regex_t* as datatype</li>
+ <li>Move gtkwave.appdata.xml to io.github.gtkwave.GTKWave.metainfo.xml</li>
+ </ul>
+ </description>
+ </release>
+
+ <release version="3.3.117" date="2023-08-08">
+ <description>
+ <p>
+ Changes in 3.3.117:
+ </p>
+ <ul>
+ <li>Fix stems reader processing code broken in 3.3.114</li>
+ </ul>
+ </description>
+ </release>
+
+ <release version="3.3.116" date="2023-06-25">
+ <description>
+ <p>
+ Changes in 3.3.116:
+ </p>
+ <ul>
+ <li>Fix manpage/odt for vcd2fst command switch documentation for zlibpack</li>
+ <li>Add GDK_WINDOWING_WAYLAND check for gdkwayland.h header usage</li>
+ <li>Changed sprintf to snprintf in fstapi.c</li>
+ <li>Fix init crash on show_base_symbols enabled</li>
+ </ul>
+ </description>
+ </release>
+
+ <release version="3.3.115" date="2023-03-28">
+ <description>
+ <p>
+ Changes in 3.3.115:
+ </p>
+ <ul>
+ <li>Fix VZT reader with -fstrict-aliasing</li>
+ <li>Fix use_multi_state condition in vzt_write.c</li>
+ <li>Fix for UNDEF vs strings at start of a vzt file</li>
+ <li>Fix sleep() time scaling redefine for mingw</li>
+ <li>Use MapViewOfFileEx for mmap on Windows (fstapi)</li>
+ <li>Define FST_DO_MISALIGNED_OPS on AArch64 (fstapi)</li>
+ <li>Fixed attrbegin short length problem</li>
+ </ul>
+ </description>
+ </release>
+
+ <release version="3.3.114" date="2022-11-23">
+ <description>
+ <p>
+ Changes in 3.3.114:
+ </p>
+ <ul>
+ <li>Buffer overflow fixes in FST reader</li>
+ </ul>
+ </description>
+ </release>
+
+ <release version="3.3.113" date="2022-10-04">
+ <description>
+ <p>
+ Changes in 3.3.113:
+ </p>
+ <ul>
+ <li>High CPU utilization when nothing is happening</li>
+ </ul>
+ </description>
+ </release>
+
+ <release version="3.3.112" date="2022-10-04">
+ <description>
+ <p>
+ Changes in 3.3.112:
+ </p>
+ <ul>
+ <li>Bugfix-only release, no feature adds</li>
+ <li>VCD reader fixes for unnamed Icarus begin blocks</li>
+ <li>String data type crash fix in fst.c</li>
+ </ul>
+ </description>
+ </release>
+
+ <release version="3.3.111" date="2021-09-01">
+ <description>
+ <p>
+ Changes in 3.3.111:
+ </p>
+ <ul>
+ <li>Rendering fix for filled rectangles and line caps in Cairo</li>
+ <li>Fix in fstapi for read start limit time</li>
+ <li>Use GtkSearchEntry in SST</li>
+ <li>Convert entrybox to use dialog box</li>
+ <li>Entrybox: use default response instead of signal handler</li>
+ <li>Updated show-change widget</li>
+ <li>Fix xml2stems when begin blocks are in functions</li>
+ <li>Skip over decimal point in timescale in viewer</li>
+ </ul>
+ </description>
+ </release>
+ </releases>
+</component>
diff -Nru gtkwave-3.3.116/share/appdata/Makefile.am gtkwave-3.3.118/share/appdata/Makefile.am
--- gtkwave-3.3.116/share/appdata/Makefile.am 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/share/appdata/Makefile.am 2023-12-31 23:11:03.000000000 +0200
@@ -1,4 +1,4 @@
## -*- makefile -*-
##
-EXTRA_DIST= gtkwave.appdata.xml
+EXTRA_DIST= io.github.gtkwave.GTKWave.metainfo.xml
diff -Nru gtkwave-3.3.116/share/appdata/Makefile.in gtkwave-3.3.118/share/appdata/Makefile.in
--- gtkwave-3.3.116/share/appdata/Makefile.in 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/share/appdata/Makefile.in 2023-12-31 23:11:03.000000000 +0200
@@ -261,7 +261,7 @@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
-EXTRA_DIST = gtkwave.appdata.xml
+EXTRA_DIST = io.github.gtkwave.GTKWave.metainfo.xml
all: all-am
.SUFFIXES:
diff -Nru gtkwave-3.3.116/src/debug.c gtkwave-3.3.118/src/debug.c
--- gtkwave-3.3.116/src/debug.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/debug.c 2023-12-31 23:11:04.000000000 +0200
@@ -736,3 +736,42 @@
return(w);
}
+
+/******************************************************/
+
+FILE *popen_san(const char *command, const char *type) /* TALOS-2023-1786 */
+{
+const char *p = command;
+int is_ok = 1;
+char ch;
+
+while(p && (ch = *(p++)))
+ {
+ switch(ch)
+ {
+ case '&':
+ case '|':
+ case ';':
+ case '\n':
+ case '`':
+ case '$':
+ is_ok = 0;
+
+ default:
+ break;
+ }
+ }
+
+if(is_ok)
+ {
+ return(popen(command, type));
+ }
+else
+ {
+ fprintf(stderr, "GTKWAVE | TALOS-2023-1786: popen() command string '%s' may not be properly sanitized, blocking command.\n", command);
+ errno = EPIPE;
+ return(NULL);
+ }
+}
+
+/******************************************************/
diff -Nru gtkwave-3.3.116/src/debug.h gtkwave-3.3.118/src/debug.h
--- gtkwave-3.3.116/src/debug.h 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/debug.h 2023-12-31 23:11:04.000000000 +0200
@@ -187,5 +187,6 @@
GtkWidget *X_gtk_entry_new_with_max_length (gint max);
-#endif
+FILE *popen_san(const char *command, const char *type); /* TALOS-2023-1786 */
+#endif
diff -Nru gtkwave-3.3.116/src/extload.c gtkwave-3.3.118/src/extload.c
--- gtkwave-3.3.116/src/extload.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/extload.c 2023-12-31 23:11:04.000000000 +0200
@@ -1693,7 +1693,7 @@
last_modification_check();
sprintf(sbuff, "%s -info %s 2>&1", EXTLOAD_PATH, fname);
-GLOBALS->extload = popen(sbuff, "r");
+GLOBALS->extload = popen_san(sbuff, "r");
for(;;)
{
char * rc = fgets(sbuff, 65536, GLOBALS->extload);
@@ -1898,7 +1898,7 @@
if(!last_modification_check()) { GLOBALS->extload_already_errored = 1; return(LLDescriptor(0)); }
sprintf(sbuff, "%s -hier_tree %s 2>&1", EXTLOAD_PATH, fname);
-GLOBALS->extload = popen(sbuff, "r");
+GLOBALS->extload = popen_san(sbuff, "r");
/* do your stuff here..all useful info has been initialized by now */
@@ -2254,7 +2254,7 @@
TimeType tim;
sprintf(sbuff, "%s -vc -vidcode %d %s 2>&1", EXTLOAD_PATH, txidx_in_trace, GLOBALS->loaded_file_name);
- GLOBALS->extload = popen(sbuff, "r");
+ GLOBALS->extload = popen_san(sbuff, "r");
for(;;)
{
diff -Nru gtkwave-3.3.116/src/globals.h gtkwave-3.3.118/src/globals.h
--- gtkwave-3.3.116/src/globals.h 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/globals.h 2023-12-31 23:11:04.000000000 +0200
@@ -766,7 +766,7 @@
/*
* regex.c
*/
-struct re_pattern_buffer *preg_regex_c_1; /* from regex.c 339 */
+regex_t *preg_regex_c_1; /* from regex.c 339 */
int *regex_ok_regex_c_1; /* from regex.c 340 */
diff -Nru gtkwave-3.3.116/src/helpers/evcd2vcd.c gtkwave-3.3.118/src/helpers/evcd2vcd.c
--- gtkwave-3.3.116/src/helpers/evcd2vcd.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/helpers/evcd2vcd.c 2023-12-31 23:11:04.000000000 +0200
@@ -37,6 +37,16 @@
#endif
#include <unistd.h>
+/*
+ * report abort messages
+ */
+static void chk_report_abort(const char *s)
+{
+fprintf(stderr,"Triggered %s security check, exiting.\n", s);
+abort();
+}
+
+
ssize_t getline_replace(char **buf, size_t *len, FILE *f)
{
char *fgets_rc;
@@ -234,6 +244,10 @@
if(!node)
{
Jval val;
+ if((len < 0) || (len > 32768))
+ {
+ chk_report_abort("TALOS-2023-1803");
+ }
jrb_insert_int(vcd_ids, hash, val)->val2.i = len;
}
diff -Nru gtkwave-3.3.116/src/helpers/fst/fstapi.c gtkwave-3.3.118/src/helpers/fst/fstapi.c
--- gtkwave-3.3.116/src/helpers/fst/fstapi.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/helpers/fst/fstapi.c 2023-12-31 23:11:04.000000000 +0200
@@ -193,6 +193,16 @@
/*
+ * report abort messages
+ */
+static void chk_report_abort(const char *s)
+{
+fprintf(stderr,"Triggered %s security check, exiting.\n", s);
+abort();
+}
+
+
+/*
* prevent old file overwrite when currently being read
*/
static FILE *unlink_fopen(const char *nam, const char *mode)
@@ -550,7 +560,8 @@
static uint32_t fstReaderVarint32(FILE *f)
{
-unsigned char buf[5];
+int chk_len = 5; /* TALOS-2023-1783 */
+unsigned char buf[chk_len];
unsigned char *mem = buf;
uint32_t rc = 0;
int ch;
@@ -559,7 +570,9 @@
{
ch = fgetc(f);
*(mem++) = ch;
- } while(ch & 0x80);
+ } while((ch & 0x80) && (--chk_len));
+
+if(ch & 0x80) chk_report_abort("TALOS-2023-1783");
mem--;
for(;;)
@@ -579,7 +592,8 @@
static uint32_t fstReaderVarint32WithSkip(FILE *f, uint32_t *skiplen)
{
-unsigned char buf[5];
+int chk_len = 5; /* TALOS-2023-1783 */
+unsigned char buf[chk_len];
unsigned char *mem = buf;
uint32_t rc = 0;
int ch;
@@ -588,7 +602,9 @@
{
ch = fgetc(f);
*(mem++) = ch;
- } while(ch & 0x80);
+ } while((ch & 0x80) && (--chk_len));
+
+if(ch & 0x80) chk_report_abort("TALOS-2023-1783");
*skiplen = mem - buf;
mem--;
@@ -609,7 +625,8 @@
static uint64_t fstReaderVarint64(FILE *f)
{
-unsigned char buf[16];
+int chk_len = 16; /* TALOS-2023-1783 */
+unsigned char buf[chk_len];
unsigned char *mem = buf;
uint64_t rc = 0;
int ch;
@@ -618,9 +635,12 @@
{
ch = fgetc(f);
*(mem++) = ch;
- } while(ch & 0x80);
+ } while((ch & 0x80) && (--chk_len));
+
+if(ch & 0x80) chk_report_abort("TALOS-2023-1783");
mem--;
+
for(;;)
{
rc <<= 7;
@@ -1838,6 +1858,14 @@
xc->xc_parent = xc;
memcpy(xc2, xc, sizeof(struct fstWriterContext));
+ if(sizeof(size_t) < sizeof(uint64_t))
+ {
+ /* TALOS-2023-1777 for 32b overflow */
+ uint64_t chk_64 = xc->maxhandle * 4 * sizeof(uint32_t);
+ size_t chk_32 = xc->maxhandle * 4 * sizeof(uint32_t);
+ if(chk_64 != chk_32) chk_report_abort("TALOS-2023-1777");
+ }
+
xc2->valpos_mem = (uint32_t *)malloc(xc->maxhandle * 4 * sizeof(uint32_t));
memcpy(xc2->valpos_mem, xc->valpos_mem, xc->maxhandle * 4 * sizeof(uint32_t));
@@ -3434,7 +3462,7 @@
#ifndef FST_WRITEX_DISABLE
-static void fstWritex(struct fstReaderContext *xc, void *v, int len)
+static void fstWritex(struct fstReaderContext *xc, void *v, uint32_t len) /* TALOS-2023-1793: change len to unsigned */
{
unsigned char *s = (unsigned char *)v;
@@ -4181,7 +4209,7 @@
if((xc->hier.u.attr.subtype == FST_MT_SOURCESTEM)||(xc->hier.u.attr.subtype == FST_MT_SOURCEISTEM))
{
int sidx_skiplen_dummy = 0;
- xc->hier.u.attr.arg_from_name = fstGetVarint64((unsigned char *)xc->str_scope_nam, &sidx_skiplen_dummy);
+ xc->hier.u.attr.arg_from_name = fstGetVarint64((unsigned char *)xc->str_scope_attr, &sidx_skiplen_dummy);
}
}
break;
@@ -5060,6 +5088,7 @@
for(;;)
{
uint32_t *tc_head = NULL;
+ uint32_t tc_head_items = 0;
traversal_mem_offs = 0;
fstReaderFseeko(xc, xc->f, blkpos, SEEK_SET);
@@ -5103,12 +5132,12 @@
}
- mem_required_for_traversal = fstReaderUint64(xc->f);
- mem_for_traversal = (unsigned char *)malloc(mem_required_for_traversal + 66); /* add in potential fastlz overhead */
+ mem_required_for_traversal = fstReaderUint64(xc->f) + 66; /* add in potential fastlz overhead */
+ mem_for_traversal = (unsigned char *)malloc(mem_required_for_traversal);
#ifdef FST_DEBUG
fprintf(stderr, FST_APIMESS "sec: %u seclen: %d begtim: %d endtim: %d\n",
secnum, (int)seclen, (int)beg_tim, (int)end_tim);
- fprintf(stderr, FST_APIMESS "mem_required_for_traversal: %d\n", (int)mem_required_for_traversal);
+ fprintf(stderr, FST_APIMESS "mem_required_for_traversal: %d\n", (int)mem_required_for_traversal-66);
#endif
/* process time block */
{
@@ -5158,6 +5187,22 @@
}
free(time_table);
+
+ if(sizeof(size_t) < sizeof(uint64_t))
+ {
+ /* TALOS-2023-1792 for 32b overflow */
+ uint64_t chk_64 = tsec_nitems * sizeof(uint64_t);
+ size_t chk_32 = ((size_t)tsec_nitems) * sizeof(uint64_t);
+ if(chk_64 != chk_32) chk_report_abort("TALOS-2023-1792");
+ }
+ else
+ {
+ uint64_t chk_64 = tsec_nitems * sizeof(uint64_t);
+ if((chk_64/sizeof(uint64_t)) != tsec_nitems)
+ {
+ chk_report_abort("TALOS-2023-1792");
+ }
+ }
time_table = (uint64_t *)calloc(tsec_nitems, sizeof(uint64_t));
tpnt = ucdata;
tpval = 0;
@@ -5169,7 +5214,23 @@
tpnt += skiplen;
}
- tc_head = (uint32_t *)calloc(tsec_nitems /* scan-build */ ? tsec_nitems : 1, sizeof(uint32_t));
+ tc_head_items = tsec_nitems /* scan-build */ ? tsec_nitems : 1;
+ if(sizeof(size_t) < sizeof(uint64_t))
+ {
+ /* TALOS-2023-1792 for 32b overflow */
+ uint64_t chk_64 = tc_head_items * sizeof(uint32_t);
+ size_t chk_32 = ((size_t)tc_head_items) * sizeof(uint32_t);
+ if(chk_64 != chk_32) chk_report_abort("TALOS-2023-1792");
+ }
+ else
+ {
+ uint64_t chk_64 = tc_head_items * sizeof(uint32_t);
+ if((chk_64/sizeof(uint32_t)) != tc_head_items)
+ {
+ chk_report_abort("TALOS-2023-1792");
+ }
+ }
+ tc_head = (uint32_t *)calloc(tc_head_items, sizeof(uint32_t));
free(ucdata);
}
@@ -5273,6 +5334,10 @@
{
if(value_change_callback)
{
+ if(xc->signal_lens[idx] > xc->longest_signal_value_len)
+ {
+ chk_report_abort("TALOS-2023-1797");
+ }
memcpy(xc->temp_signal_value_buf, mu+sig_offs, xc->signal_lens[idx]);
xc->temp_signal_value_buf[xc->signal_lens[idx]] = 0;
value_change_callback(user_callback_data_pointer, beg_tim, idx+1, xc->temp_signal_value_buf);
@@ -5286,6 +5351,10 @@
vcd_id[0] = (xc->signal_typs[idx] != FST_VT_VCD_PORT) ? 'b' : 'p';
fstWritex(xc, vcd_id, 1);
+ if((sig_offs + xc->signal_lens[idx]) > frame_uclen)
+ {
+ chk_report_abort("TALOS-2023-1793");
+ }
fstWritex(xc,mu+sig_offs, xc->signal_lens[idx]);
vcd_id[0] = ' '; /* collapse 3 writes into one I/O call */
@@ -5410,7 +5479,44 @@
free(chain_table_lengths);
vc_maxhandle_largest = vc_maxhandle;
+
+ if(!(vc_maxhandle+1))
+ {
+ chk_report_abort("TALOS-2023-1798");
+ }
+
+ if(sizeof(size_t) < sizeof(uint64_t))
+ {
+ /* TALOS-2023-1798 for 32b overflow */
+ uint64_t chk_64 = (vc_maxhandle+1) * sizeof(fst_off_t);
+ size_t chk_32 = ((size_t)(vc_maxhandle+1)) * sizeof(fst_off_t);
+ if(chk_64 != chk_32) chk_report_abort("TALOS-2023-1798");
+ }
+ else
+ {
+ uint64_t chk_64 = (vc_maxhandle+1) * sizeof(fst_off_t);
+ if((chk_64/sizeof(fst_off_t)) != (vc_maxhandle+1))
+ {
+ chk_report_abort("TALOS-2023-1798");
+ }
+ }
chain_table = (fst_off_t *)calloc((vc_maxhandle+1), sizeof(fst_off_t));
+
+ if(sizeof(size_t) < sizeof(uint64_t))
+ {
+ /* TALOS-2023-1798 for 32b overflow */
+ uint64_t chk_64 = (vc_maxhandle+1) * sizeof(uint32_t);
+ size_t chk_32 = ((size_t)(vc_maxhandle+1)) * sizeof(uint32_t);
+ if(chk_64 != chk_32) chk_report_abort("TALOS-2023-1798");
+ }
+ else
+ {
+ uint64_t chk_64 = (vc_maxhandle+1) * sizeof(uint32_t);
+ if((chk_64/sizeof(uint32_t)) != (vc_maxhandle+1))
+ {
+ chk_report_abort("TALOS-2023-1798");
+ }
+ }
chain_table_lengths = (uint32_t *)calloc((vc_maxhandle+1), sizeof(uint32_t));
}
@@ -5454,6 +5560,11 @@
uint64_t val = fstGetVarint32(pnt, &skiplen);
fstHandle loopcnt = val >> 1;
+ if((idx+loopcnt-1) > vc_maxhandle) /* TALOS-2023-1789 */
+ {
+ chk_report_abort("TALOS-2023-1789");
+ }
+
for(i=0;i<loopcnt;i++)
{
chain_table[idx++] = 0;
@@ -5487,6 +5598,12 @@
else
{
fstHandle loopcnt = val >> 1;
+
+ if((idx+loopcnt-1) > vc_maxhandle) /* TALOS-2023-1789 */
+ {
+ chk_report_abort("TALOS-2023-1789");
+ }
+
for(i=0;i<loopcnt;i++)
{
chain_table[idx++] = 0;
@@ -5547,6 +5664,11 @@
unsigned long destlen = val;
unsigned long sourcelen = chain_table_lengths[i];
+ if(traversal_mem_offs >= mem_required_for_traversal)
+ {
+ chk_report_abort("TALOS-2023-1785");
+ }
+
if(mc_mem_len < chain_table_lengths[i])
{
free(mc_mem);
@@ -5575,6 +5697,12 @@
{
int destlen = chain_table_lengths[i] - skiplen;
unsigned char *mu = mem_for_traversal + traversal_mem_offs;
+
+ if(traversal_mem_offs >= mem_required_for_traversal)
+ {
+ chk_report_abort("TALOS-2023-1785");
+ }
+
fstFread(mu, destlen, 1, xc->f);
/* data to process is for(j=0;j<destlen;j++) in mu[j] */
headptr[i] = traversal_mem_offs;
@@ -5600,6 +5728,11 @@
tdelta = vli >> 1;
}
+ if(tdelta >= tc_head_items)
+ {
+ chk_report_abort("TALOS-2023-1791");
+ }
+
scatterptr[i] = tc_head[tdelta];
tc_head[tdelta] = i+1;
}
@@ -5698,6 +5831,11 @@
shamt = 2 << (vli & 1);
tdelta = vli >> shamt;
+ if((tdelta+i) >= tc_head_items)
+ {
+ chk_report_abort("TALOS-2023-1791");
+ }
+
scatterptr[idx] = tc_head[i+tdelta];
tc_head[i+tdelta] = idx+1;
}
@@ -5731,6 +5869,14 @@
vcdid_len = fstVcdIDForFwrite(vcd_id+1, idx+1);
{
+ if(sizeof(size_t) < sizeof(uint64_t))
+ {
+ /* TALOS-2023-1790 for 32b overflow */
+ uint64_t chk_64 = len*4 + 1;
+ size_t chk_32 = len*4 + 1;
+ if(chk_64 != chk_32) chk_report_abort("TALOS-2023-1790");
+ }
+
unsigned char *vesc = (unsigned char *)malloc(len*4 + 1);
int vlen = fstUtilityBinToEsc(vesc, vdata, len);
fstWritex(xc, vesc, vlen);
@@ -5756,6 +5902,11 @@
vli = fstGetVarint32NoSkip(mem_for_traversal + headptr[idx]);
tdelta = vli >> 1;
+ if((tdelta+i) >= tc_head_items)
+ {
+ chk_report_abort("TALOS-2023-1791");
+ }
+
scatterptr[idx] = tc_head[i+tdelta];
tc_head[i+tdelta] = idx+1;
}
@@ -5772,6 +5923,11 @@
if(xc->signal_typs[idx] != FST_VT_VCD_REAL)
{
+ if(len > xc->longest_signal_value_len)
+ {
+ chk_report_abort("TALOS-2023-1797");
+ }
+
if(!(vli & 1))
{
int byte = 0;
@@ -5819,6 +5975,10 @@
unsigned char ch_bp = (xc->signal_typs[idx] != FST_VT_VCD_PORT) ? 'b' : 'p';
fstWritex(xc, &ch_bp, 1);
+ if((vdata - mem_for_traversal + len) > mem_required_for_traversal)
+ {
+ chk_report_abort("TALOS-2023-1793");
+ }
fstWritex(xc, vdata, len);
}
}
@@ -5941,6 +6101,11 @@
vli = fstGetVarint32NoSkip(mem_for_traversal + headptr[idx]);
tdelta = vli >> 1;
+ if((tdelta+i) >= tc_head_items)
+ {
+ chk_report_abort("TALOS-2023-1791");
+ }
+
scatterptr[idx] = tc_head[i+tdelta];
tc_head[i+tdelta] = idx+1;
}
diff -Nru gtkwave-3.3.116/src/helpers/lxt2_read.c gtkwave-3.3.118/src/helpers/lxt2_read.c
--- gtkwave-3.3.116/src/helpers/lxt2_read.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/helpers/lxt2_read.c 2023-12-31 23:11:04.000000000 +0200
@@ -90,6 +90,16 @@
/****************************************************************************/
/*
+ * report abort messages
+ */
+static void chk_report_abort(const char *s)
+{
+fprintf(stderr,"Triggered %s security check, exiting.\n", s);
+abort();
+}
+
+
+/*
* fast SWAR ones count for 32 and 64 bits
*/
#if LXT2_RD_GRANULE_SIZE > 32
@@ -141,6 +151,11 @@
int i;
int len2 = len-1;
+if(len >= sizeof(s))
+ {
+ chk_report_abort("TALOS-2023-1827");
+ }
+
for(i=0;i<len;i++)
{
*(p++) = '0' | ((value & (1<<(len2-i)))!=0);
@@ -214,12 +229,20 @@
case LXT2_RD_ENC_INV: for(i=0;i<lt->len[idx];i++) { lt->value[idx][i] ^= 1; } break;
case LXT2_RD_ENC_LSH0:
- case LXT2_RD_ENC_LSH1: memmove(lt->value[idx], lt->value[idx]+1, lt->len[idx]-1);
+ case LXT2_RD_ENC_LSH1: if(!lt->len[idx])
+ {
+ chk_report_abort("TALOS-2023-1824");
+ }
+ memmove(lt->value[idx], lt->value[idx]+1, lt->len[idx]-1);
lt->value[idx][lt->len[idx]-1] = '0'+(vch-LXT2_RD_ENC_LSH0);
break;
case LXT2_RD_ENC_RSH0:
- case LXT2_RD_ENC_RSH1: memmove(lt->value[idx]+1, lt->value[idx], lt->len[idx]-1);
+ case LXT2_RD_ENC_RSH1: if(!lt->len[idx])
+ {
+ chk_report_abort("TALOS-2023-1824");
+ }
+ memmove(lt->value[idx]+1, lt->value[idx], lt->len[idx]-1);
lt->value[idx][0] = '0'+(vch-LXT2_RD_ENC_RSH0);
break;
@@ -598,7 +621,21 @@
if(b->num_dict_entries)
{
+ {
+ size_t chk_x = b->num_dict_entries * sizeof(char *);
+ if((chk_x / sizeof(char *)) != b->num_dict_entries)
+ {
+ chk_report_abort("TALOS-2023-1820");
+ }
+ }
b->string_pointers = malloc(b->num_dict_entries * sizeof(char *));
+ {
+ size_t chk_x = b->num_dict_entries * sizeof(unsigned int);
+ if((chk_x / sizeof(unsigned int)) != b->num_dict_entries)
+ {
+ chk_report_abort("TALOS-2023-1820");
+ }
+ }
b->string_lens = malloc(b->num_dict_entries * sizeof(unsigned int));
pnt = b->dict_start;
for(i=0;i<b->num_dict_entries;i++)
@@ -662,6 +699,10 @@
/* fprintf(stderr, LXT2_RDLOAD"processing granule %d\n", granule); */
pnt++;
lt->num_time_table_entries = lxt2_rd_get_byte(pnt, 0);
+ if(lt->num_time_table_entries > LXT2_RD_GRANULE_SIZE)
+ {
+ chk_report_abort("TALOS-2023-1819");
+ }
pnt++;
for(i=0;i<lt->num_time_table_entries;i++)
{
@@ -884,6 +925,13 @@
lt->zhandle = gzdopen(dup(fileno(lt->handle)), "rb");
t = lt->numfacs * 4 * sizeof(lxtint32_t);
+ {
+ size_t chk_x = lt->numfacs * 4 * sizeof(lxtint32_t);
+ if((chk_x / (4 * sizeof(lxtint32_t))) != lt->numfacs)
+ {
+ chk_report_abort("TALOS-2023-1818");
+ }
+ }
m=(char *)malloc(t);
rc=gzread(lt->zhandle, m, t);
gzclose(lt->zhandle); lt->zhandle=NULL;
@@ -899,11 +947,25 @@
pos = pos+lt->zfacgeometrysize;
+ {
+ size_t chk_x = lt->numfacs * sizeof(lxtint32_t);
+ if((chk_x / sizeof(lxtint32_t)) != lt->numfacs)
+ {
+ chk_report_abort("TALOS-2023-1818");
+ }
+ }
lt->rows = malloc(lt->numfacs * sizeof(lxtint32_t));
lt->msb = malloc(lt->numfacs * sizeof(lxtsint32_t));
lt->lsb = malloc(lt->numfacs * sizeof(lxtsint32_t));
lt->flags = malloc(lt->numfacs * sizeof(lxtint32_t));
lt->len = malloc(lt->numfacs * sizeof(lxtint32_t));
+ {
+ size_t chk_x = lt->numfacs * sizeof(char *);
+ if((chk_x / sizeof(char *)) != lt->numfacs)
+ {
+ chk_report_abort("TALOS-2023-1818");
+ }
+ }
lt->value = malloc(lt->numfacs * sizeof(char *));
lt->next_radix = malloc(lt->numfacs * sizeof(void *));
@@ -922,6 +984,13 @@
{
lt->len[i] = 32;
}
+ if(sizeof(size_t) < sizeof(uint64_t))
+ {
+ /* TALOS-2023-1821 for 32b overflow */
+ uint64_t chk_64 = lt->len[i] + 1;
+ size_t chk_32 = lt->len[i] + 1;
+ if(chk_64 != chk_32) chk_report_abort("TALOS-2023-1821");
+ }
lt->value[i] = calloc(lt->len[i] + 1, sizeof(char));
}
@@ -1261,12 +1330,24 @@
clone=lxt2_rd_get_16(lt->faccache->n, 0); lt->faccache->n+=2;
pnt=lt->faccache->bufcurr;
+ if(clone > lt->longestname)
+ {
+ chk_report_abort("TALOS-2023-1826");
+ }
+
for(j=0;j<clone;j++)
{
*(pnt++) = lt->faccache->bufprev[j];
}
- while((*(pnt++)=lxt2_rd_get_byte(lt->faccache->n++,0)));
+ do
+ {
+ if((pnt - lt->faccache->bufcurr) > lt->longestname)
+ {
+ chk_report_abort("TALOS-2023-1826");
+ }
+ }
+ while((*(pnt++)=lxt2_rd_get_byte(lt->faccache->n++,0)));
lt->faccache->old_facidx = facidx;
return(lt->faccache->bufcurr);
}
@@ -1526,6 +1607,11 @@
rcf = fread(&unclen, 4, 1, lt->handle); unclen = rcf ? lxt2_rd_get_32(&unclen,0) : 0;
rcf = fread(&iter, 4, 1, lt->handle); iter = rcf ? lxt2_rd_get_32(&iter,0) : 0;
+ if(unclen > b->uncompressed_siz)
+ {
+ chk_report_abort("TALOS-2023-1823"); /* could fix this up with a realloc(), but abort to indicate the file is malformed */
+ }
+
fspos += 12;
if((iter==0xFFFFFFFF)||(lt->process_mask_compressed[iter/LXT2_RD_PARTIAL_SIZE]))
{
@@ -1533,6 +1619,10 @@
{
if(zbuff) free(zbuff);
zlen = clen * 2;
+ if(zlen < clen)
+ {
+ chk_report_abort("TALOS-2023-1822");
+ }
zbuff = malloc(zlen ? zlen : 1 /* scan-build */);
}
diff -Nru gtkwave-3.3.116/src/helpers/vcd2fst.c gtkwave-3.3.118/src/helpers/vcd2fst.c
--- gtkwave-3.3.116/src/helpers/vcd2fst.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/helpers/vcd2fst.c 2023-12-31 23:11:04.000000000 +0200
@@ -68,6 +68,43 @@
return(pnt);
}
+/******************************************************/
+
+static FILE *popen_san(const char *command, const char *type) /* TALOS-2023-1786 */
+{
+const char *p = command;
+int is_ok = 1;
+char ch;
+
+while(p && (ch = *(p++)))
+ {
+ switch(ch)
+ {
+ case '&':
+ case '|':
+ case ';':
+ case '\n':
+ case '`':
+ case '$':
+ is_ok = 0;
+
+ default:
+ break;
+ }
+ }
+
+if(is_ok)
+ {
+ return(popen(command, type));
+ }
+else
+ {
+ fprintf(stderr, "GTKWAVE | TALOS-2023-1786: popen() command string '%s' may not be properly sanitized, blocking command.\n", command);
+ return(NULL);
+ }
+}
+
+/******************************************************/
/*********************************************************/
/*** vvv extload component type name determination vvv ***/
@@ -281,7 +318,7 @@
void *xc = fstReaderOpenForUtilitiesOnly();
sprintf(sbuff, "%s -info %s 2>&1", EXTLOAD_PATH, fname);
-extload = popen(sbuff, "r");
+extload = popen_san(sbuff, "r");
if(extload)
{
while(get_info(extload));
@@ -295,7 +332,7 @@
}
sprintf(sbuff, "%s -tree %s 2>&1", EXTLOAD_PATH, fname);
-extload = popen(sbuff, "r");
+extload = popen_san(sbuff, "r");
if(extload)
{
while(get_scopename(xc, extload));
@@ -482,7 +519,7 @@
if(suffix_check(vname, "."EXTLOAD_SUFFIX) || suffix_check(vname, "."EXTLOAD_SUFFIX".gz") || suffix_check(vname, "."EXTLOAD_SUFFIX".bz2"))
{
sprintf(bin_fixbuff, EXTCONV_PATH" %s", vname);
- f = popen(bin_fixbuff, "r");
+ f = popen_san(bin_fixbuff, "r");
is_popen = 1;
is_extload = 1;
#ifndef _WAVE_HAVE_JUDY
@@ -497,7 +534,7 @@
if(suffix_check(vname, "."EXT2LOAD_SUFFIX))
{
sprintf(bin_fixbuff, EXT2CONV_PATH" %s", vname);
- f = popen(bin_fixbuff, "r");
+ f = popen_san(bin_fixbuff, "r");
is_popen = 1;
}
else
@@ -506,7 +543,7 @@
if(suffix_check(vname, "."EXT3LOAD_SUFFIX))
{
sprintf(bin_fixbuff, EXT3CONV_PATH" %s", vname);
- f = popen(bin_fixbuff, "r");
+ f = popen_san(bin_fixbuff, "r");
is_popen = 1;
}
else
diff -Nru gtkwave-3.3.116/src/helpers/vcd2lxt2.c gtkwave-3.3.118/src/helpers/vcd2lxt2.c
--- gtkwave-3.3.116/src/helpers/vcd2lxt2.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/helpers/vcd2lxt2.c 2023-12-31 23:11:04.000000000 +0200
@@ -145,6 +145,53 @@
/******************************************************************/
+/*
+ * report abort messages
+ */
+static void chk_report_abort(const char *s)
+{
+fprintf(stderr,"Triggered %s security check, exiting.\n", s);
+abort();
+}
+
+/******************************************************************/
+
+static FILE *popen_san(const char *command, const char *type) /* TALOS-2023-1786 */
+{
+const char *p = command;
+int is_ok = 1;
+char ch;
+
+while(p && (ch = *(p++)))
+ {
+ switch(ch)
+ {
+ case '&':
+ case '|':
+ case ';':
+ case '\n':
+ case '`':
+ case '$':
+ is_ok = 0;
+
+ default:
+ break;
+ }
+ }
+
+if(is_ok)
+ {
+ return(popen(command, type));
+ }
+else
+ {
+ fprintf(stderr, "GTKWAVE | TALOS-2023-1786: popen() command string '%s' may not be properly sanitized, blocking command.\n", command);
+ return(NULL);
+ }
+}
+
+/******************************************************************/
+
static unsigned int vcd_minid = ~0;
static unsigned int vcd_maxid = 0;
@@ -199,6 +246,8 @@
{
return(indexed[hsh-vcd_minid]);
}
+
+ return(NULL); /* TALOS-2023-1807 */
}
v=(struct vcdsymbol **)bsearch(key, sorted, numsyms,
@@ -561,7 +610,16 @@
{
if(len==T_MAX_STR)
{
- yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1);
+ if(!varsplit)
+ {
+ yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1);
+ }
+ else /* TALOS-2023-1806 */
+ {
+ int vsplit_len = varsplit - yytext; /* save old len */
+ yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1);
+ varsplit = yytext+vsplit_len; /* reconstruct old len in new buffer */
+ }
}
ch=getch();
@@ -930,7 +988,7 @@
}
else
{
- if(yylen_cache<v->size)
+ if(yylen_cache<=v->size) /* TALOS-2023-1804 */
{
free_2(vector);
vector=malloc_2(v->size+1);
@@ -1139,6 +1197,11 @@
int vtok;
struct vcdsymbol *v=NULL;
+ if(header_over)
+ {
+ chk_report_abort("TALOS-2023-1805: $var after $enddefinitions");
+ }
+
var_prevch=0;
if(varsplit)
{
@@ -1585,7 +1648,7 @@
str=(char *)wave_alloca(strlen(fname)+dlen+1);
strcpy(str,WAVE_DECOMPRESSOR);
strcpy(str+dlen,fname);
- vcd_handle=popen(str,"r");
+ vcd_handle=popen_san(str,"r");
vcd_is_compressed=~0;
}
else
diff -Nru gtkwave-3.3.116/src/helpers/vcd2lxt.c gtkwave-3.3.118/src/helpers/vcd2lxt.c
--- gtkwave-3.3.116/src/helpers/vcd2lxt.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/helpers/vcd2lxt.c 2023-12-31 23:11:04.000000000 +0200
@@ -139,6 +139,53 @@
/******************************************************************/
+/*
+ * report abort messages
+ */
+static void chk_report_abort(const char *s)
+{
+fprintf(stderr,"Triggered %s security check, exiting.\n", s);
+abort();
+}
+
+/******************************************************************/
+
+static FILE *popen_san(const char *command, const char *type) /* TALOS-2023-1786 */
+{
+const char *p = command;
+int is_ok = 1;
+char ch;
+
+while(p && (ch = *(p++)))
+ {
+ switch(ch)
+ {
+ case '&':
+ case '|':
+ case ';':
+ case '\n':
+ case '`':
+ case '$':
+ is_ok = 0;
+
+ default:
+ break;
+ }
+ }
+
+if(is_ok)
+ {
+ return(popen(command, type));
+ }
+else
+ {
+ fprintf(stderr, "GTKWAVE | TALOS-2023-1786: popen() command string '%s' may not be properly sanitized, blocking command.\n", command);
+ return(NULL);
+ }
+}
+
+/******************************************************************/
+
static unsigned int vcd_minid = ~0;
static unsigned int vcd_maxid = 0;
@@ -193,6 +240,8 @@
{
return(indexed[hsh-vcd_minid]);
}
+
+ return(NULL); /* TALOS-2023-1807 */
}
v=(struct vcdsymbol **)bsearch(key, sorted, numsyms,
@@ -556,7 +605,16 @@
{
if(len==T_MAX_STR)
{
- yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1);
+ if(!varsplit)
+ {
+ yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1);
+ }
+ else /* TALOS-2023-1806 */
+ {
+ int vsplit_len = varsplit - yytext; /* save old len */
+ yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1);
+ varsplit = yytext+vsplit_len; /* reconstruct old len in new buffer */
+ }
}
ch=getch();
@@ -925,7 +983,7 @@
}
else
{
- if(yylen_cache<v->size)
+ if(yylen_cache<=v->size) /* TALOS-2023-1804 */
{
free_2(vector);
vector=malloc_2(v->size+1);
@@ -1137,6 +1195,11 @@
int vtok;
struct vcdsymbol *v=NULL;
+ if(header_over)
+ {
+ chk_report_abort("TALOS-2023-1805: $var after $enddefinitions");
+ }
+
var_prevch=0;
if(varsplit)
{
@@ -1661,7 +1724,7 @@
str=(char *)wave_alloca(strlen(fname)+dlen+1);
strcpy(str,WAVE_DECOMPRESSOR);
strcpy(str+dlen,fname);
- vcd_handle=popen(str,"r");
+ vcd_handle=popen_san(str,"r");
vcd_is_compressed=~0;
}
else
diff -Nru gtkwave-3.3.116/src/helpers/vcd2vzt.c gtkwave-3.3.118/src/helpers/vcd2vzt.c
--- gtkwave-3.3.116/src/helpers/vcd2vzt.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/helpers/vcd2vzt.c 2023-12-31 23:11:04.000000000 +0200
@@ -147,6 +147,53 @@
/******************************************************************/
+/*
+ * report abort messages
+ */
+static void chk_report_abort(const char *s)
+{
+fprintf(stderr,"Triggered %s security check, exiting.\n", s);
+abort();
+}
+
+/******************************************************************/
+
+static FILE *popen_san(const char *command, const char *type) /* TALOS-2023-1786 */
+{
+const char *p = command;
+int is_ok = 1;
+char ch;
+
+while(p && (ch = *(p++)))
+ {
+ switch(ch)
+ {
+ case '&':
+ case '|':
+ case ';':
+ case '\n':
+ case '`':
+ case '$':
+ is_ok = 0;
+
+ default:
+ break;
+ }
+ }
+
+if(is_ok)
+ {
+ return(popen(command, type));
+ }
+else
+ {
+ fprintf(stderr, "GTKWAVE | TALOS-2023-1786: popen() command string '%s' may not be properly sanitized, blocking command.\n", command);
+ return(NULL);
+ }
+}
+
+/******************************************************************/
+
static unsigned int vcd_minid = ~0;
static unsigned int vcd_maxid = 0;
@@ -201,6 +248,8 @@
{
return(indexed[hsh-vcd_minid]);
}
+
+ return(NULL); /* TALOS-2023-1807 */
}
v=(struct vcdsymbol **)bsearch(key, sorted, numsyms,
@@ -563,7 +612,16 @@
{
if(len==T_MAX_STR)
{
- yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1);
+ if(!varsplit)
+ {
+ yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1);
+ }
+ else /* TALOS-2023-1806 */
+ {
+ int vsplit_len = varsplit - yytext; /* save old len */
+ yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1);
+ varsplit = yytext+vsplit_len; /* reconstruct old len in new buffer */
+ }
}
ch=getch();
@@ -932,7 +990,7 @@
}
else
{
- if(yylen_cache<v->size)
+ if(yylen_cache<=v->size) /* TALOS-2023-1804 */
{
free_2(vector);
vector=malloc_2(v->size+1);
@@ -1149,6 +1207,11 @@
int vtok;
struct vcdsymbol *v=NULL;
+ if(header_over)
+ {
+ chk_report_abort("TALOS-2023-1805: $var after $enddefinitions");
+ }
+
var_prevch=0;
if(varsplit)
{
@@ -1595,7 +1658,7 @@
str=(char *)wave_alloca(strlen(fname)+dlen+1);
strcpy(str,WAVE_DECOMPRESSOR);
strcpy(str+dlen,fname);
- vcd_handle=popen(str,"r");
+ vcd_handle=popen_san(str,"r");
vcd_is_compressed=~0;
}
else
diff -Nru gtkwave-3.3.116/src/helpers/vzt_read.c gtkwave-3.3.118/src/helpers/vzt_read.c
--- gtkwave-3.3.116/src/helpers/vzt_read.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/helpers/vzt_read.c 2023-12-31 23:11:04.000000000 +0200
@@ -38,6 +38,17 @@
/****************************************************************************/
+/*
+ * report abort messages
+ */
+static void chk_report_abort(const char *s)
+{
+fprintf(stderr,"Triggered %s security check, exiting.\n", s);
+abort();
+}
+
+/****************************************************************************/
+
static int is_big_endian(void)
{
union
@@ -326,6 +337,13 @@
if(num_time_ticks != 0)
{
vztint64_t cur_time;
+ {
+ size_t chk_x = num_time_ticks * sizeof(vztint64_t);
+ if((chk_x / sizeof(vztint64_t)) != num_time_ticks)
+ {
+ chk_report_abort("TALOS-2023-1814");
+ }
+ }
times = malloc(num_time_ticks * sizeof(vztint64_t));
times[0] = cur_time = vzt_rd_get_v64(&pnt);
for(i=1;i<num_time_ticks;i++)
@@ -340,6 +358,13 @@
vztint64_t cur_time = b->start;
num_time_ticks = b->end - b->start + 1;
+ {
+ size_t chk_x = num_time_ticks * sizeof(vztint64_t);
+ if((chk_x / sizeof(vztint64_t)) != num_time_ticks)
+ {
+ chk_report_abort("TALOS-2023-1814");
+ }
+ }
times = malloc(num_time_ticks * sizeof(vztint64_t));
for(i=0;i<num_time_ticks;i++)
@@ -360,6 +385,20 @@
vztint32_t first_bit = 0, curr_bit = 0;
vztint32_t runlen;
+ if(num_sections && num_dict_entries)
+ {
+ size_t chk_x = (num_sections * num_dict_entries);
+ size_t chk_y = chk_x * sizeof(vztint32_t);
+
+ if((chk_x/num_sections) != num_dict_entries)
+ {
+ chk_report_abort("TALOS-2023-1815");
+ }
+ if((chk_y/sizeof(vztint32_t)) != chk_x)
+ {
+ chk_report_abort("TALOS-2023-1815");
+ }
+ }
val_dict = calloc(1, b->num_rle_bytes = (num_dict_words = num_sections * num_dict_entries) * sizeof(vztint32_t));
curr_dec_dict = val_dict;
@@ -444,7 +483,20 @@
}
}
+if(num_sections && num_dict_entries)
+ {
+ size_t chk_x = (num_sections * num_dict_entries);
+ size_t chk_y = chk_x * sizeof(vztint32_t);
+ if((chk_x/num_sections) != num_dict_entries)
+ {
+ chk_report_abort("TALOS-2023-1815");
+ }
+ if((chk_y/sizeof(vztint32_t)) != chk_x)
+ {
+ chk_report_abort("TALOS-2023-1815");
+ }
+ }
num_dict_words = (num_sections * num_dict_entries) * sizeof(vztint32_t);
change_dict = malloc(num_dict_words ? num_dict_words : sizeof(vztint32_t)); /* scan-build */
m = 0;
@@ -866,10 +918,17 @@
i2 = vzt_rd_next_value_chg_time(lt, b, i, idx);
if(i2)
{
- struct vzt_ncycle_autosort *t = autosort[i2];
-
- autofacs[idx].next = t;
- autosort[i2] = autofacs+idx;
+ if(i2 < b->num_time_ticks)
+ {
+ struct vzt_ncycle_autosort *t = autosort[i2];
+
+ autofacs[idx].next = t;
+ autosort[i2] = autofacs+idx;
+ }
+ else
+ {
+ chk_report_abort("TALOS-2023-1817");
+ }
}
else
{
@@ -917,10 +976,17 @@
if(i2!=i)
{
- struct vzt_ncycle_autosort *ta = autosort[i2];
+ if(i2 < b->num_time_ticks)
+ {
+ struct vzt_ncycle_autosort *ta = autosort[i2];
- autofacs[idx].next = ta;
- autosort[i2] = autofacs+idx;
+ autofacs[idx].next = ta;
+ autosort[i2] = autofacs+idx;
+ }
+ else
+ {
+ chk_report_abort("TALOS-2023-1817");
+ }
}
else
{
@@ -1131,12 +1197,24 @@
clonecnt=vzt_rd_get_16(lt->faccache->n, 0); lt->faccache->n+=2;
pnt=lt->faccache->bufcurr;
+ if(clonecnt > lt->longestname)
+ {
+ chk_report_abort("TALOS-2023-1813");
+ }
+
for(j=0;j<clonecnt;j++)
{
*(pnt++) = lt->faccache->bufprev[j];
}
- while((*(pnt++)=vzt_rd_get_byte(lt->faccache->n++,0)));
+ char *bufcurr_exceeded = lt->faccache->bufcurr + (lt->longestname+1);
+ do
+ {
+ if(bufcurr_exceeded == pnt)
+ {
+ chk_report_abort("TALOS-2023-1813");
+ }
+ } while((*(pnt++)=vzt_rd_get_byte(lt->faccache->n++,0)));
lt->faccache->old_facidx = facidx;
return(lt->faccache->bufcurr);
}
@@ -1853,6 +1931,13 @@
pos = pos+lt->zfacgeometrysize;
+ {
+ size_t chk_x = lt->numfacs * sizeof(vztint32_t);
+ if((chk_x / sizeof(vztint32_t)) != lt->numfacs)
+ {
+ chk_report_abort("TALOS-2023-1812");
+ }
+ }
lt->rows = malloc(lt->numfacs * sizeof(vztint32_t));
lt->msb = malloc(lt->numfacs * sizeof(vztsint32_t));
lt->lsb = malloc(lt->numfacs * sizeof(vztsint32_t));
@@ -1887,6 +1972,14 @@
}
}
+ if(sizeof(size_t) < sizeof(uint64_t))
+ {
+ if(lt->longest_len == 0xffffffff)
+ {
+ chk_report_abort("TALOS-2023-1816");
+ }
+ }
+
vindex_offset = 0; /* offset in value table */
for(lt->numrealfacs=0; lt->numrealfacs<lt->numfacs; lt->numrealfacs++)
{
diff -Nru gtkwave-3.3.116/src/libghw.c gtkwave-3.3.118/src/libghw.c
--- gtkwave-3.3.116/src/libghw.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/libghw.c 2023-12-31 23:11:04.000000000 +0200
@@ -22,6 +22,7 @@
#include <unistd.h>
#include "libghw.h"
+#include "debug.h"
/* Reopen H through decompressor DECOMP. */
@@ -33,7 +34,7 @@
snprintf (p, plen, "%s %s", decomp, filename);
fclose (h->stream);
- h->stream = popen (p, "r");
+ h->stream = popen_san (p, "r");
free (p);
if (h->stream == NULL)
diff -Nru gtkwave-3.3.116/src/liblzma/LzmaLib.c gtkwave-3.3.118/src/liblzma/LzmaLib.c
--- gtkwave-3.3.116/src/liblzma/LzmaLib.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/liblzma/LzmaLib.c 2023-12-31 23:11:04.000000000 +0200
@@ -51,6 +51,16 @@
};
+/*
+ * report abort messages
+ */
+static void chk_report_abort(const char *s)
+{
+fprintf(stderr,"Triggered %s security check, exiting.\n", s);
+abort();
+}
+
+
static void LZMA_write_varint(struct lzma_handle_t *h, size_t v)
{
size_t nxt;
@@ -72,16 +82,22 @@
/* ifdef is warnings fix if XZ is not present */
static size_t LZMA_read_varint(struct lzma_handle_t *h)
{
-unsigned char buf[16];
+int chk_len = 16; /* TALOS-2023-1811 */
+unsigned char buf[chk_len];
int idx = 0;
size_t rc = 0;
-for(;;)
+while(idx<chk_len)
{
h->read_cnt += read(h->fd, buf+idx, 1);
if(buf[idx++] & 0x80) break;
}
+if(idx == chk_len)
+ {
+ chk_report_abort("TALOS-2023-1811");
+ }
+
do
{
idx--;
@@ -324,6 +340,21 @@
srclen = LZMA_read_varint(h);
+ if(srclen > h->blksiz) /* TALOS-2023-1810 */
+ {
+ if(h->dmem)
+ {
+ free(h->dmem);
+ }
+ if(h->mem)
+ {
+ free(h->mem);
+ }
+ h->blksiz = srclen;
+ h->mem = malloc(h->blksiz);
+ h->dmem = malloc(h->blksiz);
+ }
+
if(!srclen)
{
h->read_cnt += (rc = read(h->fd, h->mem, dstlen));
@@ -335,7 +366,7 @@
lzma_stream strm = LZMA_STREAM_INIT;
lzma_ret lrc;
- h->read_cnt += (rc = read(h->fd, h->dmem, srclen));
+ h->read_cnt += (rc = read(h->fd, h->dmem, srclen)); /* TALOS-2023-1810: srclen used here, generally ok as data are compressible */
lrc = lzma_alone_decoder(&strm, LZMA_DECODER_SIZE);
if(lrc != LZMA_OK)
diff -Nru gtkwave-3.3.116/src/main.c gtkwave-3.3.118/src/main.c
--- gtkwave-3.3.116/src/main.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/main.c 2023-12-31 23:11:04.000000000 +0200
@@ -1926,7 +1926,7 @@
str=wave_alloca(strlen(wname)+dlen+1);
strcpy(str,WAVE_DECOMPRESSOR);
strcpy(str+dlen,wname);
- wave=popen(str,"r");
+ wave=popen_san(str,"r");
wave_is_compressed=~0;
}
else
@@ -1974,7 +1974,7 @@
if(wave_is_compressed)
{
pclose(wave);
- wave=popen(str,"r");
+ wave=popen_san(str,"r");
}
else
{
diff -Nru gtkwave-3.3.116/src/ptranslate.c gtkwave-3.3.118/src/ptranslate.c
--- gtkwave-3.3.116/src/ptranslate.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/ptranslate.c 2023-12-31 23:11:04.000000000 +0200
@@ -166,7 +166,7 @@
#if !defined __MINGW32__
cmd = (char *)malloc_2(strlen(exec_name)+6+1);
sprintf(cmd, "which %s", exec_name);
- stream = popen(cmd, "r");
+ stream = popen_san(cmd, "r");
result = fscanf(stream, "%s", abs_path);
diff -Nru gtkwave-3.3.116/src/savefile.c gtkwave-3.3.118/src/savefile.c
--- gtkwave-3.3.116/src/savefile.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/savefile.c 2023-12-31 23:11:04.000000000 +0200
@@ -667,7 +667,7 @@
str=wave_alloca(strlen(wname)+5+1);
strcpy(str,"zcat ");
strcpy(str+5,wname);
- wave=popen(str,"r");
+ wave=popen_san(str,"r");
wave_is_compressed=~0;
}
else
@@ -804,7 +804,7 @@
if(wave_is_compressed)
{
pclose(wave);
- wave=popen(str,"r");
+ wave=popen_san(str,"r");
}
else
{
diff -Nru gtkwave-3.3.116/src/ttranslate.c gtkwave-3.3.118/src/ttranslate.c
--- gtkwave-3.3.116/src/ttranslate.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/ttranslate.c 2023-12-31 23:11:04.000000000 +0200
@@ -187,7 +187,7 @@
#if !defined __MINGW32__
cmd = (char *)malloc_2(strlen(exec_name)+6+1);
sprintf(cmd, "which %s", exec_name);
- stream = popen(cmd, "r");
+ stream = popen_san(cmd, "r");
result = fscanf(stream, "%s", abs_path);
diff -Nru gtkwave-3.3.116/src/vcd.c gtkwave-3.3.118/src/vcd.c
--- gtkwave-3.3.116/src/vcd.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/vcd.c 2023-12-31 23:11:04.000000000 +0200
@@ -549,7 +549,16 @@
{
if(len==GLOBALS->T_MAX_STR_vcd_c_1)
{
- GLOBALS->yytext_vcd_c_1=(char *)realloc_2(GLOBALS->yytext_vcd_c_1, (GLOBALS->T_MAX_STR_vcd_c_1=GLOBALS->T_MAX_STR_vcd_c_1*2)+1);
+ if(!GLOBALS->varsplit_vcd_c_1)
+ {
+ GLOBALS->yytext_vcd_c_1=(char *)realloc_2(GLOBALS->yytext_vcd_c_1, (GLOBALS->T_MAX_STR_vcd_c_1=GLOBALS->T_MAX_STR_vcd_c_1*2)+1);
+ }
+ else /* TALOS-2023-1806 */
+ {
+ int vsplit_len = GLOBALS->varsplit_vcd_c_1 - GLOBALS->yytext_vcd_c_1; /* save old len */
+ GLOBALS->yytext_vcd_c_1=(char *)realloc_2(GLOBALS->yytext_vcd_c_1, (GLOBALS->T_MAX_STR_vcd_c_1=GLOBALS->T_MAX_STR_vcd_c_1*2)+1);
+ GLOBALS->varsplit_vcd_c_1 = GLOBALS->yytext_vcd_c_1+vsplit_len; /* reconstruct old len in new buffer */
+ }
}
ch=getch();
@@ -962,7 +971,7 @@
}
else
{
- if(GLOBALS->yylen_cache_vcd_c_1<v->size)
+ if(GLOBALS->yylen_cache_vcd_c_1<=v->size) /* TALOS-2023-1804 */
{
free_2(vector);
vector=malloc_2(v->size+1);
@@ -1245,7 +1254,7 @@
sync_end(NULL);
break;
case T_VAR:
- if((GLOBALS->header_over_vcd_c_1)&&(0))
+ if(GLOBALS->header_over_vcd_c_1) /* reinstated because of TALOS-2023-1805 */
{
fprintf(stderr,"$VAR encountered after $ENDDEFINITIONS near byte %d. VCD is malformed, exiting.\n",
(int)(GLOBALS->vcdbyteno_vcd_c_1+(GLOBALS->vst_vcd_c_1-GLOBALS->vcdbuf_vcd_c_1)));
@@ -2626,7 +2635,7 @@
str=wave_alloca(strlen(fname)+dlen+1);
strcpy(str,WAVE_DECOMPRESSOR);
strcpy(str+dlen,fname);
- GLOBALS->vcd_handle_vcd_c_1=popen(str,"r");
+ GLOBALS->vcd_handle_vcd_c_1=popen_san(str,"r");
GLOBALS->vcd_is_compressed_vcd_c_1=~0;
}
else
diff -Nru gtkwave-3.3.116/src/vcd_partial.c gtkwave-3.3.118/src/vcd_partial.c
--- gtkwave-3.3.116/src/vcd_partial.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/vcd_partial.c 2023-12-31 23:11:04.000000000 +0200
@@ -525,7 +525,16 @@
{
if(len==GLOBALS->T_MAX_STR_vcd_partial_c_2)
{
- GLOBALS->yytext_vcd_partial_c_2=(char *)realloc_2(GLOBALS->yytext_vcd_partial_c_2, (GLOBALS->T_MAX_STR_vcd_partial_c_2=GLOBALS->T_MAX_STR_vcd_partial_c_2*2)+1);
+ if(!GLOBALS->varsplit_vcd_partial_c_2)
+ {
+ GLOBALS->yytext_vcd_partial_c_2=(char *)realloc_2(GLOBALS->yytext_vcd_partial_c_2, (GLOBALS->T_MAX_STR_vcd_partial_c_2=GLOBALS->T_MAX_STR_vcd_partial_c_2*2)+1);
+ }
+ else /* TALOS-2023-1806 */
+ {
+ int vsplit_len = GLOBALS->varsplit_vcd_partial_c_2 - GLOBALS->yytext_vcd_partial_c_2; /* save old len */
+ GLOBALS->yytext_vcd_partial_c_2=(char *)realloc_2(GLOBALS->yytext_vcd_partial_c_2, (GLOBALS->T_MAX_STR_vcd_partial_c_2=GLOBALS->T_MAX_STR_vcd_partial_c_2*2)+1);
+ GLOBALS->varsplit_vcd_partial_c_2 = GLOBALS->yytext_vcd_partial_c_2+vsplit_len; /* reconstruct old len in new buffer */
+ }
}
ch=getch();
@@ -898,7 +907,7 @@
}
else
{
- if(GLOBALS->yylen_cache_vcd_partial_c_2<v->size)
+ if(GLOBALS->yylen_cache_vcd_partial_c_2<=v->size) /* TALOS-2023-1804 */
{
free_2(vector);
vector=malloc_2(v->size+1);
@@ -1193,11 +1202,11 @@
sync_end(NULL);
break;
case T_VAR:
- if((GLOBALS->header_over_vcd_partial_c_2)&&(0))
+ if(GLOBALS->header_over_vcd_partial_c_2) /* reinstated because of TALOS-2023-1805 */
{
fprintf(stderr,"$VAR encountered after $ENDDEFINITIONS near byte %d. VCD is malformed, exiting.\n",
(int)(GLOBALS->vcdbyteno_vcd_partial_c_2+(GLOBALS->vst_vcd_partial_c_2-GLOBALS->vcdbuf_vcd_partial_c_2)));
- exit(0);
+ exit(255);
}
else
{
diff -Nru gtkwave-3.3.116/src/vcd_recoder.c gtkwave-3.3.118/src/vcd_recoder.c
--- gtkwave-3.3.116/src/vcd_recoder.c 2023-07-23 03:37:07.000000000 +0300
+++ gtkwave-3.3.118/src/vcd_recoder.c 2023-12-31 23:11:04.000000000 +0200
@@ -1054,7 +1054,16 @@
{
if(len==GLOBALS->T_MAX_STR_vcd_recoder_c_3)
{
- GLOBALS->yytext_vcd_recoder_c_3=(char *)realloc_2(GLOBALS->yytext_vcd_recoder_c_3, (GLOBALS->T_MAX_STR_vcd_recoder_c_3=GLOBALS->T_MAX_STR_vcd_recoder_c_3*2)+1);
+ if(!GLOBALS->varsplit_vcd_recoder_c_3)
+ {
+ GLOBALS->yytext_vcd_recoder_c_3=(char *)realloc_2(GLOBALS->yytext_vcd_recoder_c_3, (GLOBALS->T_MAX_STR_vcd_recoder_c_3=GLOBALS->T_MAX_STR_vcd_recoder_c_3*2)+1);
+ }
+ else /* TALOS-2023-1806 */
+ {
+ int vsplit_len = GLOBALS->varsplit_vcd_recoder_c_3 - GLOBALS->yytext_vcd_recoder_c_3; /* save old len */
+ GLOBALS->yytext_vcd_recoder_c_3=(char *)realloc_2(GLOBALS->yytext_vcd_recoder_c_3, (GLOBALS->T_MAX_STR_vcd_recoder_c_3=GLOBALS->T_MAX_STR_vcd_recoder_c_3*2)+1);
+ GLOBALS->varsplit_vcd_recoder_c_3 = GLOBALS->yytext_vcd_recoder_c_3+vsplit_len; /* reconstruct old len in new buffer */
+ }
}
ch=getch();
@@ -1587,7 +1596,7 @@
sync_end(NULL);
break;
case T_VAR:
- if((GLOBALS->header_over_vcd_recoder_c_3)&&(0))
+ if(GLOBALS->header_over_vcd_recoder_c_3) /* reinstated because of TALOS-2023-1805 */
{
fprintf(stderr,"$VAR encountered after $ENDDEFINITIONS near byte %d. VCD is malformed, exiting.\n",
(int)(GLOBALS->vcdbyteno_vcd_recoder_c_3+(GLOBALS->vst_vcd_recoder_c_3-GLOBALS->vcdbuf_vcd_recoder_c_3)));
@@ -2816,7 +2825,7 @@
str=wave_alloca(strlen(fname)+dlen+1);
strcpy(str,WAVE_DECOMPRESSOR);
strcpy(str+dlen,fname);
- GLOBALS->vcd_handle_vcd_recoder_c_2=popen(str,"r");
+ GLOBALS->vcd_handle_vcd_recoder_c_2=popen_san(str,"r");
GLOBALS->vcd_is_compressed_vcd_recoder_c_2=~0;
}
else
