Control: tags 1060407 + patch Control: tags 1060407 + pending Dear maintainer,
I've prepared an NMU for gtkwave (versioned as 3.3.118-0.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. cu Adrian
diffstat for gtkwave-3.3.116 gtkwave-3.3.118 ChangeLog | 44 ++++ LICENSE.TXT | 2 configure | 20 +- configure.ac | 2 contrib/bundle_for_osx/Info-gtkwave.plist | 6 contrib/xml2stems/xml2stems.cc | 20 +- debian/changelog | 30 +++ share/appdata/Makefile.am | 2 share/appdata/Makefile.in | 2 share/appdata/gtkwave.appdata.xml | 20 -- share/appdata/io.github.gtkwave.GTKWave.metainfo.xml | 143 ++++++++++++++ src/debug.c | 39 +++ src/debug.h | 3 src/extload.c | 6 src/globals.h | 2 src/helpers/evcd2vcd.c | 14 + src/helpers/fst/fstapi.c | 189 +++++++++++++++++-- src/helpers/lxt2_read.c | 96 +++++++++ src/helpers/vcd2fst.c | 47 ++++ src/helpers/vcd2lxt.c | 69 ++++++ src/helpers/vcd2lxt2.c | 69 ++++++ src/helpers/vcd2vzt.c | 69 ++++++ src/helpers/vzt_read.c | 109 ++++++++++ src/libghw.c | 3 src/liblzma/LzmaLib.c | 37 +++ src/main.c | 4 src/ptranslate.c | 2 src/savefile.c | 4 src/ttranslate.c | 2 src/vcd.c | 17 + src/vcd_partial.c | 17 + src/vcd_recoder.c | 15 + 32 files changed, 1000 insertions(+), 104 deletions(-) diff -Nru gtkwave-3.3.116/ChangeLog gtkwave-3.3.118/ChangeLog --- gtkwave-3.3.116/ChangeLog 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/ChangeLog 2023-12-31 23:11:04.000000000 +0200 @@ -1843,3 +1843,47 @@ Add GDK_WINDOWING_WAYLAND check for gdkwayland.h header usage. Changed sprintf to snprintf in fstapi.c. Fix init crash on show_base_symbols enabled. +3.3.117 08aug23 Fix stems reader processing code broken in 3.3.114. +3.3.118 17dec23 Update xml2stems to handle newer "loc" vs "fl" xml tags. + Change preg_regex_c_1 decl to use regex_t* as datatype. + Move gtkwave.appdata.xml to + io.github.gtkwave.GTKWave.metainfo.xml. + Fixed popen security advisories: + TALOS-2023-1786 + Fixed FST security advisories: + TALOS-2023-1777 + TALOS-2023-1783 + TALOS-2023-1785 + TALOS-2023-1789 + TALOS-2023-1790 + TALOS-2023-1791 + TALOS-2023-1792 + TALOS-2023-1793 + TALOS-2023-1797 + TALOS-2023-1798 + Fixed evcd2vcd security advisories: + TALOS-2023-1803 + Fixed VCD security advisories: + TALOS-2023-1804 + TALOS-2023-1805 + TALOS-2023-1806 + TALOS-2023-1807 + Fixed VZT security advisories: + TALOS-2023-1810 + TALOS-2023-1811 + TALOS-2023-1812 + TALOS-2023-1813 + TALOS-2023-1814 + TALOS-2023-1815 + TALOS-2023-1816 + TALOS-2023-1817 + Fixed LXT2 security advisories: + TALOS-2023-1818 + TALOS-2023-1819 + TALOS-2023-1820 + TALOS-2023-1821 + TALOS-2023-1822 + TALOS-2023-1823 + TALOS-2023-1824 + TALOS-2023-1826 + TALOS-2023-1827 diff -Nru gtkwave-3.3.116/configure gtkwave-3.3.118/configure --- gtkwave-3.3.116/configure 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/configure 2023-12-31 23:11:03.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for gtkwave-gtk3 3.3.116. +# Generated by GNU Autoconf 2.69 for gtkwave-gtk3 3.3.118. # # Report bugs to <byb...@rocketmail.com>. # @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='gtkwave-gtk3' PACKAGE_TARNAME='gtkwave-gtk3' -PACKAGE_VERSION='3.3.116' -PACKAGE_STRING='gtkwave-gtk3 3.3.116' +PACKAGE_VERSION='3.3.118' +PACKAGE_STRING='gtkwave-gtk3 3.3.118' PACKAGE_BUGREPORT='byb...@rocketmail.com' PACKAGE_URL='' @@ -1395,7 +1395,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures gtkwave-gtk3 3.3.116 to adapt to many kinds of systems. +\`configure' configures gtkwave-gtk3 3.3.118 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1461,7 +1461,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of gtkwave-gtk3 3.3.116:";; + short | recursive ) echo "Configuration of gtkwave-gtk3 3.3.118:";; esac cat <<\_ACEOF @@ -1609,7 +1609,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -gtkwave-gtk3 configure 3.3.116 +gtkwave-gtk3 configure 3.3.118 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2253,7 +2253,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by gtkwave-gtk3 $as_me 3.3.116, which was +It was created by gtkwave-gtk3 $as_me 3.3.118, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3120,7 +3120,7 @@ # Define the identity of the package. PACKAGE='gtkwave-gtk3' - VERSION='3.3.116' + VERSION='3.3.118' cat >>confdefs.h <<_ACEOF @@ -11568,7 +11568,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by gtkwave-gtk3 $as_me 3.3.116, which was +This file was extended by gtkwave-gtk3 $as_me 3.3.118, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -11634,7 +11634,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -gtkwave-gtk3 config.status 3.3.116 +gtkwave-gtk3 config.status 3.3.118 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru gtkwave-3.3.116/configure.ac gtkwave-3.3.118/configure.ac --- gtkwave-3.3.116/configure.ac 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/configure.ac 2023-12-31 23:11:03.000000000 +0200 @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.59) -AC_INIT(gtkwave-gtk3, 3.3.116, byb...@rocketmail.com) +AC_INIT(gtkwave-gtk3, 3.3.118, byb...@rocketmail.com) AC_CONFIG_SRCDIR([src/vcd.c]) AM_INIT_AUTOMAKE AC_CONFIG_HEADER([config.h]) diff -Nru gtkwave-3.3.116/contrib/bundle_for_osx/Info-gtkwave.plist gtkwave-3.3.118/contrib/bundle_for_osx/Info-gtkwave.plist --- gtkwave-3.3.116/contrib/bundle_for_osx/Info-gtkwave.plist 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/contrib/bundle_for_osx/Info-gtkwave.plist 2023-12-31 23:11:03.000000000 +0200 @@ -8,7 +8,7 @@ <key>CFBundleExecutable</key> <string>gtkwave</string> <key>CFBundleGetInfoString</key> - <string>3.3.116, (C) 1999-2023 Tony Bybell http://gtkwave.sourceforge.net</string> + <string>3.3.118, (C) 1999-2023 Tony Bybell http://gtkwave.sourceforge.net</string> <key>CFBundleIconFile</key> <string>gtkwave.icns</string> <key>CFBundleIdentifier</key> @@ -18,11 +18,11 @@ <key>CFBundlePackageType</key> <string>APPL</string> <key>CFBundleShortVersionString</key> - <string>3.3.116</string> + <string>3.3.118</string> <key>CFBundleSignature</key> <string>????</string> <key>CFBundleVersion</key> - <string>3.3.116</string> + <string>3.3.118</string> <key>NSHumanReadableCopyright</key> <string>Copyright 1999 - 2023 Tony Bybell, GNU General Public License.</string> <key>LSMinimumSystemVersion</key> diff -Nru gtkwave-3.3.116/contrib/xml2stems/xml2stems.cc gtkwave-3.3.118/contrib/xml2stems/xml2stems.cc --- gtkwave-3.3.116/contrib/xml2stems/xml2stems.cc 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/contrib/xml2stems/xml2stems.cc 2023-12-31 23:11:03.000000000 +0200 @@ -138,6 +138,9 @@ { const char *nam = (*xmt)[string("name")].c_str(); const char *fl = (*xmt)[string("fl")].c_str(); + const char *loc = (*xmt)[string("loc")].c_str(); + int loc_offset = 0; + if(!fl || !strlen(fl)) { fl = loc; loc_offset = 1; } if(!oneline) { @@ -148,7 +151,8 @@ const char *s = fl; char *d = fl_dup; while(isalpha(*s)) { *(d++) = *(s++); } *d = 0; - + + s+=loc_offset; unsigned int lineno = atoi(s); const char *mnam = fId[fl_dup].c_str(); @@ -194,6 +198,9 @@ const char *fl = (*xmt)[string("fl")].c_str(); const char *nam = (*xmt)[string("name")].c_str(); const char *tms = (*xmt)[string("topModule")].c_str(); + const char *loc = (*xmt)[string("loc")].c_str(); + int loc_offset = 0; + if(!fl || !strlen(fl)) { fl = loc; loc_offset = 1; } if(fl && nam && tms) { @@ -205,7 +212,8 @@ const char *s = fl; char *d = fl_dup; while(isalpha(*s)) { *(d++) = *(s++); } *d = 0; - + + s += loc_offset; unsigned int lineno = atoi(s); const char *mnam = fId[fl_dup].c_str(); fprintf(fo, "++ module %s file %s lines %d - %d\n", nam, mnam, lineno, lineno); /* don't need line number it truly ends at */ @@ -233,7 +241,7 @@ func_nesting_cnt = (!endtag) ? (func_nesting_cnt+1) : (func_nesting_cnt-1); } else - if(!strncmp(pnt, "files", 5)) + if((!strncmp(pnt, "files", 5)) || (!strncmp(pnt, "module_files", 12))) { in_files = (!endtag); } @@ -293,7 +301,10 @@ { const char *fl = (*xmt)[string("fl")].c_str(); const char *nam = (*xmt)[string("name")].c_str(); - + const char *loc = (*xmt)[string("loc")].c_str(); + int loc_offset = 0; + if(!fl || !strlen(fl)) { fl = loc; loc_offset = 1; } + if(fl && nam) { mId.push(nam); @@ -303,6 +314,7 @@ while(isalpha(*s)) { *(d++) = *(s++); } *d = 0; + s += loc_offset; unsigned int lineno = atoi(s); const char *mnam = fId[fl_dup].c_str(); fprintf(fo, "++ udp %s file %s lines %d - %d\n", nam, mnam, lineno, lineno); /* don't need line number it truly ends at */ diff -Nru gtkwave-3.3.116/debian/changelog gtkwave-3.3.118/debian/changelog --- gtkwave-3.3.116/debian/changelog 2023-07-29 06:35:40.000000000 +0300 +++ gtkwave-3.3.118/debian/changelog 2024-03-23 21:54:30.000000000 +0200 @@ -1,3 +1,33 @@ +gtkwave (3.3.118-0.1) unstable; urgency=high + + * Non-maintainer upload. + * New upstream release. + - Fixes multiple vulnerabilities: + CVE-2023-32650, CVE-2023-34087, CVE-2023-34436, CVE-2023-35004, + CVE-2023-35057, CVE-2023-35128, CVE-2023-35702, CVE-2023-35703, + CVE-2023-35704, CVE-2023-35955, CVE-2023-35956, CVE-2023-35957, + CVE-2023-35958, CVE-2023-35959, CVE-2023-35960, CVE-2023-35961, + CVE-2023-35962, CVE-2023-35963, CVE-2023-35964, CVE-2023-35969, + CVE-2023-35970, CVE-2023-35989, CVE-2023-35992, CVE-2023-35994, + CVE-2023-35995, CVE-2023-35996, CVE-2023-35997, CVE-2023-36746, + CVE-2023-36747, CVE-2023-36861, CVE-2023-36864, CVE-2023-36915, + CVE-2023-36916, CVE-2023-37282, CVE-2023-37416, CVE-2023-37417, + CVE-2023-37418, CVE-2023-37419, CVE-2023-37420, CVE-2023-37442, + CVE-2023-37443, CVE-2023-37444, CVE-2023-37445, CVE-2023-37446, + CVE-2023-37447, CVE-2023-37573, CVE-2023-37574, CVE-2023-37575, + CVE-2023-37576, CVE-2023-37577, CVE-2023-37578, CVE-2023-37921, + CVE-2023-37922, CVE-2023-37923, CVE-2023-38583, CVE-2023-38618, + CVE-2023-38619, CVE-2023-38620, CVE-2023-38621, CVE-2023-38622, + CVE-2023-38623, CVE-2023-38648, CVE-2023-38649, CVE-2023-38650, + CVE-2023-38651, CVE-2023-38652, CVE-2023-38653, CVE-2023-38657, + CVE-2023-39234, CVE-2023-39235, CVE-2023-39270, CVE-2023-39271, + CVE-2023-39272, CVE-2023-39273, CVE-2023-39274, CVE-2023-39275, + CVE-2023-39316, CVE-2023-39317, CVE-2023-39413, CVE-2023-39414, + CVE-2023-39443, CVE-2023-39444 + (Closes: #1060407) + + -- Adrian Bunk <b...@debian.org> Sat, 23 Mar 2024 21:54:30 +0200 + gtkwave (3.3.116-1) unstable; urgency=medium * New upstream version 3.3.116 diff -Nru gtkwave-3.3.116/LICENSE.TXT gtkwave-3.3.118/LICENSE.TXT --- gtkwave-3.3.116/LICENSE.TXT 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/LICENSE.TXT 2023-12-31 23:11:03.000000000 +0200 @@ -1,6 +1,6 @@ ########################################################################## -GTKWave 3.3.116 Wave Viewer is Copyright (C) 1999-2023 Tony Bybell. +GTKWave 3.3.118 Wave Viewer is Copyright (C) 1999-2023 Tony Bybell. Portions of GTKWave are Copyright (C) 1999-2023 Udi Finkelstein. Context support is Copyright (C) 2007-2023 Kermin Elliott Fleming. Trace group support is Copyright (C) 2009-2023 Donald Baltus. diff -Nru gtkwave-3.3.116/share/appdata/gtkwave.appdata.xml gtkwave-3.3.118/share/appdata/gtkwave.appdata.xml --- gtkwave-3.3.116/share/appdata/gtkwave.appdata.xml 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/share/appdata/gtkwave.appdata.xml 1970-01-01 02:00:00.000000000 +0200 @@ -1,20 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- Copyright 2014 Tony Bybell <byb...@rocketmail.com> --> -<application> -<id type="desktop">gtkwave.desktop</id> -<metadata_license>CC0-1.0</metadata_license> -<summary>Electronic waveform viewer for viewing simulation results</summary> -<description> -<p> -GTKWave is a fully featured GTK+ based waveform viewer which reads FST, LXT, LXT2, VZT, and GHW files as well as standard Verilog VCD/EVCD files and allows their viewing. -</p> -<p> -The viewer supports both post-mortem viewing of VCD files and interactive viewing of VCD data. Tcl scripting and callback capability allow for remote control by other applications. -</p> -</description> -<url type="homepage">http://gtkwave.sourceforge.net/</url> -<screenshots> -<screenshot type="default">http://gtkwave.sourceforge.net/gtkwave-appdata.png</screenshot> -</screenshots> -<updatecontact>byb...@rocketmail.com</updatecontact> -</application> diff -Nru gtkwave-3.3.116/share/appdata/io.github.gtkwave.GTKWave.metainfo.xml gtkwave-3.3.118/share/appdata/io.github.gtkwave.GTKWave.metainfo.xml --- gtkwave-3.3.116/share/appdata/io.github.gtkwave.GTKWave.metainfo.xml 1970-01-01 02:00:00.000000000 +0200 +++ gtkwave-3.3.118/share/appdata/io.github.gtkwave.GTKWave.metainfo.xml 2023-12-31 23:11:03.000000000 +0200 @@ -0,0 +1,143 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- Copyright 2023 Tony Bybell <byb...@rocketmail.com> --> +<component type="desktop"> + <id>io.github.gtkwave.GTKWave</id> + <metadata_license>CC0-1.0</metadata_license> + <project_license>GPL-2.0-or-later</project_license> + <name>GTKWave</name> + <developer_name>Tony Bybell</developer_name> + <update_contact>byb...@rocketmail.com</update_contact> + <summary>Electronic waveform viewer for viewing simulation results</summary> + <description> + <p> + GTKWave is a fully featured GTK+ based waveform viewer which reads FST and + GHW files as well as standard Verilog VCD/EVCD files and allows their viewing. + </p> + <p> + The viewer supports both post-mortem viewing of VCD files and interactive viewing of VCD data. + Tcl scripting and callback capability allow for remote control by other applications. + </p> + </description> + + <url type="homepage">http://gtkwave.sourceforge.net/</url> + <url type="bugtracker">https://github.com/gtkwave/gtkwave/issues</url> + <url type="help">https://github.com/gtkwave/gtkwave</url> + + <screenshots> + <screenshot type="default"> + <image>http://gtkwave.sourceforge.net/gtkwave-appdata.png</image> + </screenshot> + </screenshots> + + <content_rating type="oars-1.0" /> + + <releases> + <release version="3.3.118" date="2023-10-20"> + <description> + <p> + Changes in 3.3.118: + </p> + <ul> + <li>Update xml2stems to handle newer "loc" vs "fl" xml tags</li> + <li>Change preg_regex_c_1 decl to use regex_t* as datatype</li> + <li>Move gtkwave.appdata.xml to io.github.gtkwave.GTKWave.metainfo.xml</li> + </ul> + </description> + </release> + + <release version="3.3.117" date="2023-08-08"> + <description> + <p> + Changes in 3.3.117: + </p> + <ul> + <li>Fix stems reader processing code broken in 3.3.114</li> + </ul> + </description> + </release> + + <release version="3.3.116" date="2023-06-25"> + <description> + <p> + Changes in 3.3.116: + </p> + <ul> + <li>Fix manpage/odt for vcd2fst command switch documentation for zlibpack</li> + <li>Add GDK_WINDOWING_WAYLAND check for gdkwayland.h header usage</li> + <li>Changed sprintf to snprintf in fstapi.c</li> + <li>Fix init crash on show_base_symbols enabled</li> + </ul> + </description> + </release> + + <release version="3.3.115" date="2023-03-28"> + <description> + <p> + Changes in 3.3.115: + </p> + <ul> + <li>Fix VZT reader with -fstrict-aliasing</li> + <li>Fix use_multi_state condition in vzt_write.c</li> + <li>Fix for UNDEF vs strings at start of a vzt file</li> + <li>Fix sleep() time scaling redefine for mingw</li> + <li>Use MapViewOfFileEx for mmap on Windows (fstapi)</li> + <li>Define FST_DO_MISALIGNED_OPS on AArch64 (fstapi)</li> + <li>Fixed attrbegin short length problem</li> + </ul> + </description> + </release> + + <release version="3.3.114" date="2022-11-23"> + <description> + <p> + Changes in 3.3.114: + </p> + <ul> + <li>Buffer overflow fixes in FST reader</li> + </ul> + </description> + </release> + + <release version="3.3.113" date="2022-10-04"> + <description> + <p> + Changes in 3.3.113: + </p> + <ul> + <li>High CPU utilization when nothing is happening</li> + </ul> + </description> + </release> + + <release version="3.3.112" date="2022-10-04"> + <description> + <p> + Changes in 3.3.112: + </p> + <ul> + <li>Bugfix-only release, no feature adds</li> + <li>VCD reader fixes for unnamed Icarus begin blocks</li> + <li>String data type crash fix in fst.c</li> + </ul> + </description> + </release> + + <release version="3.3.111" date="2021-09-01"> + <description> + <p> + Changes in 3.3.111: + </p> + <ul> + <li>Rendering fix for filled rectangles and line caps in Cairo</li> + <li>Fix in fstapi for read start limit time</li> + <li>Use GtkSearchEntry in SST</li> + <li>Convert entrybox to use dialog box</li> + <li>Entrybox: use default response instead of signal handler</li> + <li>Updated show-change widget</li> + <li>Fix xml2stems when begin blocks are in functions</li> + <li>Skip over decimal point in timescale in viewer</li> + </ul> + </description> + </release> + </releases> +</component> diff -Nru gtkwave-3.3.116/share/appdata/Makefile.am gtkwave-3.3.118/share/appdata/Makefile.am --- gtkwave-3.3.116/share/appdata/Makefile.am 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/share/appdata/Makefile.am 2023-12-31 23:11:03.000000000 +0200 @@ -1,4 +1,4 @@ ## -*- makefile -*- ## -EXTRA_DIST= gtkwave.appdata.xml +EXTRA_DIST= io.github.gtkwave.GTKWave.metainfo.xml diff -Nru gtkwave-3.3.116/share/appdata/Makefile.in gtkwave-3.3.118/share/appdata/Makefile.in --- gtkwave-3.3.116/share/appdata/Makefile.in 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/share/appdata/Makefile.in 2023-12-31 23:11:03.000000000 +0200 @@ -261,7 +261,7 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ -EXTRA_DIST = gtkwave.appdata.xml +EXTRA_DIST = io.github.gtkwave.GTKWave.metainfo.xml all: all-am .SUFFIXES: diff -Nru gtkwave-3.3.116/src/debug.c gtkwave-3.3.118/src/debug.c --- gtkwave-3.3.116/src/debug.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/debug.c 2023-12-31 23:11:04.000000000 +0200 @@ -736,3 +736,42 @@ return(w); } + +/******************************************************/ + +FILE *popen_san(const char *command, const char *type) /* TALOS-2023-1786 */ +{ +const char *p = command; +int is_ok = 1; +char ch; + +while(p && (ch = *(p++))) + { + switch(ch) + { + case '&': + case '|': + case ';': + case '\n': + case '`': + case '$': + is_ok = 0; + + default: + break; + } + } + +if(is_ok) + { + return(popen(command, type)); + } +else + { + fprintf(stderr, "GTKWAVE | TALOS-2023-1786: popen() command string '%s' may not be properly sanitized, blocking command.\n", command); + errno = EPIPE; + return(NULL); + } +} + +/******************************************************/ diff -Nru gtkwave-3.3.116/src/debug.h gtkwave-3.3.118/src/debug.h --- gtkwave-3.3.116/src/debug.h 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/debug.h 2023-12-31 23:11:04.000000000 +0200 @@ -187,5 +187,6 @@ GtkWidget *X_gtk_entry_new_with_max_length (gint max); -#endif +FILE *popen_san(const char *command, const char *type); /* TALOS-2023-1786 */ +#endif diff -Nru gtkwave-3.3.116/src/extload.c gtkwave-3.3.118/src/extload.c --- gtkwave-3.3.116/src/extload.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/extload.c 2023-12-31 23:11:04.000000000 +0200 @@ -1693,7 +1693,7 @@ last_modification_check(); sprintf(sbuff, "%s -info %s 2>&1", EXTLOAD_PATH, fname); -GLOBALS->extload = popen(sbuff, "r"); +GLOBALS->extload = popen_san(sbuff, "r"); for(;;) { char * rc = fgets(sbuff, 65536, GLOBALS->extload); @@ -1898,7 +1898,7 @@ if(!last_modification_check()) { GLOBALS->extload_already_errored = 1; return(LLDescriptor(0)); } sprintf(sbuff, "%s -hier_tree %s 2>&1", EXTLOAD_PATH, fname); -GLOBALS->extload = popen(sbuff, "r"); +GLOBALS->extload = popen_san(sbuff, "r"); /* do your stuff here..all useful info has been initialized by now */ @@ -2254,7 +2254,7 @@ TimeType tim; sprintf(sbuff, "%s -vc -vidcode %d %s 2>&1", EXTLOAD_PATH, txidx_in_trace, GLOBALS->loaded_file_name); - GLOBALS->extload = popen(sbuff, "r"); + GLOBALS->extload = popen_san(sbuff, "r"); for(;;) { diff -Nru gtkwave-3.3.116/src/globals.h gtkwave-3.3.118/src/globals.h --- gtkwave-3.3.116/src/globals.h 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/globals.h 2023-12-31 23:11:04.000000000 +0200 @@ -766,7 +766,7 @@ /* * regex.c */ -struct re_pattern_buffer *preg_regex_c_1; /* from regex.c 339 */ +regex_t *preg_regex_c_1; /* from regex.c 339 */ int *regex_ok_regex_c_1; /* from regex.c 340 */ diff -Nru gtkwave-3.3.116/src/helpers/evcd2vcd.c gtkwave-3.3.118/src/helpers/evcd2vcd.c --- gtkwave-3.3.116/src/helpers/evcd2vcd.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/helpers/evcd2vcd.c 2023-12-31 23:11:04.000000000 +0200 @@ -37,6 +37,16 @@ #endif #include <unistd.h> +/* + * report abort messages + */ +static void chk_report_abort(const char *s) +{ +fprintf(stderr,"Triggered %s security check, exiting.\n", s); +abort(); +} + + ssize_t getline_replace(char **buf, size_t *len, FILE *f) { char *fgets_rc; @@ -234,6 +244,10 @@ if(!node) { Jval val; + if((len < 0) || (len > 32768)) + { + chk_report_abort("TALOS-2023-1803"); + } jrb_insert_int(vcd_ids, hash, val)->val2.i = len; } diff -Nru gtkwave-3.3.116/src/helpers/fst/fstapi.c gtkwave-3.3.118/src/helpers/fst/fstapi.c --- gtkwave-3.3.116/src/helpers/fst/fstapi.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/helpers/fst/fstapi.c 2023-12-31 23:11:04.000000000 +0200 @@ -193,6 +193,16 @@ /* + * report abort messages + */ +static void chk_report_abort(const char *s) +{ +fprintf(stderr,"Triggered %s security check, exiting.\n", s); +abort(); +} + + +/* * prevent old file overwrite when currently being read */ static FILE *unlink_fopen(const char *nam, const char *mode) @@ -550,7 +560,8 @@ static uint32_t fstReaderVarint32(FILE *f) { -unsigned char buf[5]; +int chk_len = 5; /* TALOS-2023-1783 */ +unsigned char buf[chk_len]; unsigned char *mem = buf; uint32_t rc = 0; int ch; @@ -559,7 +570,9 @@ { ch = fgetc(f); *(mem++) = ch; - } while(ch & 0x80); + } while((ch & 0x80) && (--chk_len)); + +if(ch & 0x80) chk_report_abort("TALOS-2023-1783"); mem--; for(;;) @@ -579,7 +592,8 @@ static uint32_t fstReaderVarint32WithSkip(FILE *f, uint32_t *skiplen) { -unsigned char buf[5]; +int chk_len = 5; /* TALOS-2023-1783 */ +unsigned char buf[chk_len]; unsigned char *mem = buf; uint32_t rc = 0; int ch; @@ -588,7 +602,9 @@ { ch = fgetc(f); *(mem++) = ch; - } while(ch & 0x80); + } while((ch & 0x80) && (--chk_len)); + +if(ch & 0x80) chk_report_abort("TALOS-2023-1783"); *skiplen = mem - buf; mem--; @@ -609,7 +625,8 @@ static uint64_t fstReaderVarint64(FILE *f) { -unsigned char buf[16]; +int chk_len = 16; /* TALOS-2023-1783 */ +unsigned char buf[chk_len]; unsigned char *mem = buf; uint64_t rc = 0; int ch; @@ -618,9 +635,12 @@ { ch = fgetc(f); *(mem++) = ch; - } while(ch & 0x80); + } while((ch & 0x80) && (--chk_len)); + +if(ch & 0x80) chk_report_abort("TALOS-2023-1783"); mem--; + for(;;) { rc <<= 7; @@ -1838,6 +1858,14 @@ xc->xc_parent = xc; memcpy(xc2, xc, sizeof(struct fstWriterContext)); + if(sizeof(size_t) < sizeof(uint64_t)) + { + /* TALOS-2023-1777 for 32b overflow */ + uint64_t chk_64 = xc->maxhandle * 4 * sizeof(uint32_t); + size_t chk_32 = xc->maxhandle * 4 * sizeof(uint32_t); + if(chk_64 != chk_32) chk_report_abort("TALOS-2023-1777"); + } + xc2->valpos_mem = (uint32_t *)malloc(xc->maxhandle * 4 * sizeof(uint32_t)); memcpy(xc2->valpos_mem, xc->valpos_mem, xc->maxhandle * 4 * sizeof(uint32_t)); @@ -3434,7 +3462,7 @@ #ifndef FST_WRITEX_DISABLE -static void fstWritex(struct fstReaderContext *xc, void *v, int len) +static void fstWritex(struct fstReaderContext *xc, void *v, uint32_t len) /* TALOS-2023-1793: change len to unsigned */ { unsigned char *s = (unsigned char *)v; @@ -4181,7 +4209,7 @@ if((xc->hier.u.attr.subtype == FST_MT_SOURCESTEM)||(xc->hier.u.attr.subtype == FST_MT_SOURCEISTEM)) { int sidx_skiplen_dummy = 0; - xc->hier.u.attr.arg_from_name = fstGetVarint64((unsigned char *)xc->str_scope_nam, &sidx_skiplen_dummy); + xc->hier.u.attr.arg_from_name = fstGetVarint64((unsigned char *)xc->str_scope_attr, &sidx_skiplen_dummy); } } break; @@ -5060,6 +5088,7 @@ for(;;) { uint32_t *tc_head = NULL; + uint32_t tc_head_items = 0; traversal_mem_offs = 0; fstReaderFseeko(xc, xc->f, blkpos, SEEK_SET); @@ -5103,12 +5132,12 @@ } - mem_required_for_traversal = fstReaderUint64(xc->f); - mem_for_traversal = (unsigned char *)malloc(mem_required_for_traversal + 66); /* add in potential fastlz overhead */ + mem_required_for_traversal = fstReaderUint64(xc->f) + 66; /* add in potential fastlz overhead */ + mem_for_traversal = (unsigned char *)malloc(mem_required_for_traversal); #ifdef FST_DEBUG fprintf(stderr, FST_APIMESS "sec: %u seclen: %d begtim: %d endtim: %d\n", secnum, (int)seclen, (int)beg_tim, (int)end_tim); - fprintf(stderr, FST_APIMESS "mem_required_for_traversal: %d\n", (int)mem_required_for_traversal); + fprintf(stderr, FST_APIMESS "mem_required_for_traversal: %d\n", (int)mem_required_for_traversal-66); #endif /* process time block */ { @@ -5158,6 +5187,22 @@ } free(time_table); + + if(sizeof(size_t) < sizeof(uint64_t)) + { + /* TALOS-2023-1792 for 32b overflow */ + uint64_t chk_64 = tsec_nitems * sizeof(uint64_t); + size_t chk_32 = ((size_t)tsec_nitems) * sizeof(uint64_t); + if(chk_64 != chk_32) chk_report_abort("TALOS-2023-1792"); + } + else + { + uint64_t chk_64 = tsec_nitems * sizeof(uint64_t); + if((chk_64/sizeof(uint64_t)) != tsec_nitems) + { + chk_report_abort("TALOS-2023-1792"); + } + } time_table = (uint64_t *)calloc(tsec_nitems, sizeof(uint64_t)); tpnt = ucdata; tpval = 0; @@ -5169,7 +5214,23 @@ tpnt += skiplen; } - tc_head = (uint32_t *)calloc(tsec_nitems /* scan-build */ ? tsec_nitems : 1, sizeof(uint32_t)); + tc_head_items = tsec_nitems /* scan-build */ ? tsec_nitems : 1; + if(sizeof(size_t) < sizeof(uint64_t)) + { + /* TALOS-2023-1792 for 32b overflow */ + uint64_t chk_64 = tc_head_items * sizeof(uint32_t); + size_t chk_32 = ((size_t)tc_head_items) * sizeof(uint32_t); + if(chk_64 != chk_32) chk_report_abort("TALOS-2023-1792"); + } + else + { + uint64_t chk_64 = tc_head_items * sizeof(uint32_t); + if((chk_64/sizeof(uint32_t)) != tc_head_items) + { + chk_report_abort("TALOS-2023-1792"); + } + } + tc_head = (uint32_t *)calloc(tc_head_items, sizeof(uint32_t)); free(ucdata); } @@ -5273,6 +5334,10 @@ { if(value_change_callback) { + if(xc->signal_lens[idx] > xc->longest_signal_value_len) + { + chk_report_abort("TALOS-2023-1797"); + } memcpy(xc->temp_signal_value_buf, mu+sig_offs, xc->signal_lens[idx]); xc->temp_signal_value_buf[xc->signal_lens[idx]] = 0; value_change_callback(user_callback_data_pointer, beg_tim, idx+1, xc->temp_signal_value_buf); @@ -5286,6 +5351,10 @@ vcd_id[0] = (xc->signal_typs[idx] != FST_VT_VCD_PORT) ? 'b' : 'p'; fstWritex(xc, vcd_id, 1); + if((sig_offs + xc->signal_lens[idx]) > frame_uclen) + { + chk_report_abort("TALOS-2023-1793"); + } fstWritex(xc,mu+sig_offs, xc->signal_lens[idx]); vcd_id[0] = ' '; /* collapse 3 writes into one I/O call */ @@ -5410,7 +5479,44 @@ free(chain_table_lengths); vc_maxhandle_largest = vc_maxhandle; + + if(!(vc_maxhandle+1)) + { + chk_report_abort("TALOS-2023-1798"); + } + + if(sizeof(size_t) < sizeof(uint64_t)) + { + /* TALOS-2023-1798 for 32b overflow */ + uint64_t chk_64 = (vc_maxhandle+1) * sizeof(fst_off_t); + size_t chk_32 = ((size_t)(vc_maxhandle+1)) * sizeof(fst_off_t); + if(chk_64 != chk_32) chk_report_abort("TALOS-2023-1798"); + } + else + { + uint64_t chk_64 = (vc_maxhandle+1) * sizeof(fst_off_t); + if((chk_64/sizeof(fst_off_t)) != (vc_maxhandle+1)) + { + chk_report_abort("TALOS-2023-1798"); + } + } chain_table = (fst_off_t *)calloc((vc_maxhandle+1), sizeof(fst_off_t)); + + if(sizeof(size_t) < sizeof(uint64_t)) + { + /* TALOS-2023-1798 for 32b overflow */ + uint64_t chk_64 = (vc_maxhandle+1) * sizeof(uint32_t); + size_t chk_32 = ((size_t)(vc_maxhandle+1)) * sizeof(uint32_t); + if(chk_64 != chk_32) chk_report_abort("TALOS-2023-1798"); + } + else + { + uint64_t chk_64 = (vc_maxhandle+1) * sizeof(uint32_t); + if((chk_64/sizeof(uint32_t)) != (vc_maxhandle+1)) + { + chk_report_abort("TALOS-2023-1798"); + } + } chain_table_lengths = (uint32_t *)calloc((vc_maxhandle+1), sizeof(uint32_t)); } @@ -5454,6 +5560,11 @@ uint64_t val = fstGetVarint32(pnt, &skiplen); fstHandle loopcnt = val >> 1; + if((idx+loopcnt-1) > vc_maxhandle) /* TALOS-2023-1789 */ + { + chk_report_abort("TALOS-2023-1789"); + } + for(i=0;i<loopcnt;i++) { chain_table[idx++] = 0; @@ -5487,6 +5598,12 @@ else { fstHandle loopcnt = val >> 1; + + if((idx+loopcnt-1) > vc_maxhandle) /* TALOS-2023-1789 */ + { + chk_report_abort("TALOS-2023-1789"); + } + for(i=0;i<loopcnt;i++) { chain_table[idx++] = 0; @@ -5547,6 +5664,11 @@ unsigned long destlen = val; unsigned long sourcelen = chain_table_lengths[i]; + if(traversal_mem_offs >= mem_required_for_traversal) + { + chk_report_abort("TALOS-2023-1785"); + } + if(mc_mem_len < chain_table_lengths[i]) { free(mc_mem); @@ -5575,6 +5697,12 @@ { int destlen = chain_table_lengths[i] - skiplen; unsigned char *mu = mem_for_traversal + traversal_mem_offs; + + if(traversal_mem_offs >= mem_required_for_traversal) + { + chk_report_abort("TALOS-2023-1785"); + } + fstFread(mu, destlen, 1, xc->f); /* data to process is for(j=0;j<destlen;j++) in mu[j] */ headptr[i] = traversal_mem_offs; @@ -5600,6 +5728,11 @@ tdelta = vli >> 1; } + if(tdelta >= tc_head_items) + { + chk_report_abort("TALOS-2023-1791"); + } + scatterptr[i] = tc_head[tdelta]; tc_head[tdelta] = i+1; } @@ -5698,6 +5831,11 @@ shamt = 2 << (vli & 1); tdelta = vli >> shamt; + if((tdelta+i) >= tc_head_items) + { + chk_report_abort("TALOS-2023-1791"); + } + scatterptr[idx] = tc_head[i+tdelta]; tc_head[i+tdelta] = idx+1; } @@ -5731,6 +5869,14 @@ vcdid_len = fstVcdIDForFwrite(vcd_id+1, idx+1); { + if(sizeof(size_t) < sizeof(uint64_t)) + { + /* TALOS-2023-1790 for 32b overflow */ + uint64_t chk_64 = len*4 + 1; + size_t chk_32 = len*4 + 1; + if(chk_64 != chk_32) chk_report_abort("TALOS-2023-1790"); + } + unsigned char *vesc = (unsigned char *)malloc(len*4 + 1); int vlen = fstUtilityBinToEsc(vesc, vdata, len); fstWritex(xc, vesc, vlen); @@ -5756,6 +5902,11 @@ vli = fstGetVarint32NoSkip(mem_for_traversal + headptr[idx]); tdelta = vli >> 1; + if((tdelta+i) >= tc_head_items) + { + chk_report_abort("TALOS-2023-1791"); + } + scatterptr[idx] = tc_head[i+tdelta]; tc_head[i+tdelta] = idx+1; } @@ -5772,6 +5923,11 @@ if(xc->signal_typs[idx] != FST_VT_VCD_REAL) { + if(len > xc->longest_signal_value_len) + { + chk_report_abort("TALOS-2023-1797"); + } + if(!(vli & 1)) { int byte = 0; @@ -5819,6 +5975,10 @@ unsigned char ch_bp = (xc->signal_typs[idx] != FST_VT_VCD_PORT) ? 'b' : 'p'; fstWritex(xc, &ch_bp, 1); + if((vdata - mem_for_traversal + len) > mem_required_for_traversal) + { + chk_report_abort("TALOS-2023-1793"); + } fstWritex(xc, vdata, len); } } @@ -5941,6 +6101,11 @@ vli = fstGetVarint32NoSkip(mem_for_traversal + headptr[idx]); tdelta = vli >> 1; + if((tdelta+i) >= tc_head_items) + { + chk_report_abort("TALOS-2023-1791"); + } + scatterptr[idx] = tc_head[i+tdelta]; tc_head[i+tdelta] = idx+1; } diff -Nru gtkwave-3.3.116/src/helpers/lxt2_read.c gtkwave-3.3.118/src/helpers/lxt2_read.c --- gtkwave-3.3.116/src/helpers/lxt2_read.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/helpers/lxt2_read.c 2023-12-31 23:11:04.000000000 +0200 @@ -90,6 +90,16 @@ /****************************************************************************/ /* + * report abort messages + */ +static void chk_report_abort(const char *s) +{ +fprintf(stderr,"Triggered %s security check, exiting.\n", s); +abort(); +} + + +/* * fast SWAR ones count for 32 and 64 bits */ #if LXT2_RD_GRANULE_SIZE > 32 @@ -141,6 +151,11 @@ int i; int len2 = len-1; +if(len >= sizeof(s)) + { + chk_report_abort("TALOS-2023-1827"); + } + for(i=0;i<len;i++) { *(p++) = '0' | ((value & (1<<(len2-i)))!=0); @@ -214,12 +229,20 @@ case LXT2_RD_ENC_INV: for(i=0;i<lt->len[idx];i++) { lt->value[idx][i] ^= 1; } break; case LXT2_RD_ENC_LSH0: - case LXT2_RD_ENC_LSH1: memmove(lt->value[idx], lt->value[idx]+1, lt->len[idx]-1); + case LXT2_RD_ENC_LSH1: if(!lt->len[idx]) + { + chk_report_abort("TALOS-2023-1824"); + } + memmove(lt->value[idx], lt->value[idx]+1, lt->len[idx]-1); lt->value[idx][lt->len[idx]-1] = '0'+(vch-LXT2_RD_ENC_LSH0); break; case LXT2_RD_ENC_RSH0: - case LXT2_RD_ENC_RSH1: memmove(lt->value[idx]+1, lt->value[idx], lt->len[idx]-1); + case LXT2_RD_ENC_RSH1: if(!lt->len[idx]) + { + chk_report_abort("TALOS-2023-1824"); + } + memmove(lt->value[idx]+1, lt->value[idx], lt->len[idx]-1); lt->value[idx][0] = '0'+(vch-LXT2_RD_ENC_RSH0); break; @@ -598,7 +621,21 @@ if(b->num_dict_entries) { + { + size_t chk_x = b->num_dict_entries * sizeof(char *); + if((chk_x / sizeof(char *)) != b->num_dict_entries) + { + chk_report_abort("TALOS-2023-1820"); + } + } b->string_pointers = malloc(b->num_dict_entries * sizeof(char *)); + { + size_t chk_x = b->num_dict_entries * sizeof(unsigned int); + if((chk_x / sizeof(unsigned int)) != b->num_dict_entries) + { + chk_report_abort("TALOS-2023-1820"); + } + } b->string_lens = malloc(b->num_dict_entries * sizeof(unsigned int)); pnt = b->dict_start; for(i=0;i<b->num_dict_entries;i++) @@ -662,6 +699,10 @@ /* fprintf(stderr, LXT2_RDLOAD"processing granule %d\n", granule); */ pnt++; lt->num_time_table_entries = lxt2_rd_get_byte(pnt, 0); + if(lt->num_time_table_entries > LXT2_RD_GRANULE_SIZE) + { + chk_report_abort("TALOS-2023-1819"); + } pnt++; for(i=0;i<lt->num_time_table_entries;i++) { @@ -884,6 +925,13 @@ lt->zhandle = gzdopen(dup(fileno(lt->handle)), "rb"); t = lt->numfacs * 4 * sizeof(lxtint32_t); + { + size_t chk_x = lt->numfacs * 4 * sizeof(lxtint32_t); + if((chk_x / (4 * sizeof(lxtint32_t))) != lt->numfacs) + { + chk_report_abort("TALOS-2023-1818"); + } + } m=(char *)malloc(t); rc=gzread(lt->zhandle, m, t); gzclose(lt->zhandle); lt->zhandle=NULL; @@ -899,11 +947,25 @@ pos = pos+lt->zfacgeometrysize; + { + size_t chk_x = lt->numfacs * sizeof(lxtint32_t); + if((chk_x / sizeof(lxtint32_t)) != lt->numfacs) + { + chk_report_abort("TALOS-2023-1818"); + } + } lt->rows = malloc(lt->numfacs * sizeof(lxtint32_t)); lt->msb = malloc(lt->numfacs * sizeof(lxtsint32_t)); lt->lsb = malloc(lt->numfacs * sizeof(lxtsint32_t)); lt->flags = malloc(lt->numfacs * sizeof(lxtint32_t)); lt->len = malloc(lt->numfacs * sizeof(lxtint32_t)); + { + size_t chk_x = lt->numfacs * sizeof(char *); + if((chk_x / sizeof(char *)) != lt->numfacs) + { + chk_report_abort("TALOS-2023-1818"); + } + } lt->value = malloc(lt->numfacs * sizeof(char *)); lt->next_radix = malloc(lt->numfacs * sizeof(void *)); @@ -922,6 +984,13 @@ { lt->len[i] = 32; } + if(sizeof(size_t) < sizeof(uint64_t)) + { + /* TALOS-2023-1821 for 32b overflow */ + uint64_t chk_64 = lt->len[i] + 1; + size_t chk_32 = lt->len[i] + 1; + if(chk_64 != chk_32) chk_report_abort("TALOS-2023-1821"); + } lt->value[i] = calloc(lt->len[i] + 1, sizeof(char)); } @@ -1261,12 +1330,24 @@ clone=lxt2_rd_get_16(lt->faccache->n, 0); lt->faccache->n+=2; pnt=lt->faccache->bufcurr; + if(clone > lt->longestname) + { + chk_report_abort("TALOS-2023-1826"); + } + for(j=0;j<clone;j++) { *(pnt++) = lt->faccache->bufprev[j]; } - while((*(pnt++)=lxt2_rd_get_byte(lt->faccache->n++,0))); + do + { + if((pnt - lt->faccache->bufcurr) > lt->longestname) + { + chk_report_abort("TALOS-2023-1826"); + } + } + while((*(pnt++)=lxt2_rd_get_byte(lt->faccache->n++,0))); lt->faccache->old_facidx = facidx; return(lt->faccache->bufcurr); } @@ -1526,6 +1607,11 @@ rcf = fread(&unclen, 4, 1, lt->handle); unclen = rcf ? lxt2_rd_get_32(&unclen,0) : 0; rcf = fread(&iter, 4, 1, lt->handle); iter = rcf ? lxt2_rd_get_32(&iter,0) : 0; + if(unclen > b->uncompressed_siz) + { + chk_report_abort("TALOS-2023-1823"); /* could fix this up with a realloc(), but abort to indicate the file is malformed */ + } + fspos += 12; if((iter==0xFFFFFFFF)||(lt->process_mask_compressed[iter/LXT2_RD_PARTIAL_SIZE])) { @@ -1533,6 +1619,10 @@ { if(zbuff) free(zbuff); zlen = clen * 2; + if(zlen < clen) + { + chk_report_abort("TALOS-2023-1822"); + } zbuff = malloc(zlen ? zlen : 1 /* scan-build */); } diff -Nru gtkwave-3.3.116/src/helpers/vcd2fst.c gtkwave-3.3.118/src/helpers/vcd2fst.c --- gtkwave-3.3.116/src/helpers/vcd2fst.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/helpers/vcd2fst.c 2023-12-31 23:11:04.000000000 +0200 @@ -68,6 +68,43 @@ return(pnt); } +/******************************************************/ + +static FILE *popen_san(const char *command, const char *type) /* TALOS-2023-1786 */ +{ +const char *p = command; +int is_ok = 1; +char ch; + +while(p && (ch = *(p++))) + { + switch(ch) + { + case '&': + case '|': + case ';': + case '\n': + case '`': + case '$': + is_ok = 0; + + default: + break; + } + } + +if(is_ok) + { + return(popen(command, type)); + } +else + { + fprintf(stderr, "GTKWAVE | TALOS-2023-1786: popen() command string '%s' may not be properly sanitized, blocking command.\n", command); + return(NULL); + } +} + +/******************************************************/ /*********************************************************/ /*** vvv extload component type name determination vvv ***/ @@ -281,7 +318,7 @@ void *xc = fstReaderOpenForUtilitiesOnly(); sprintf(sbuff, "%s -info %s 2>&1", EXTLOAD_PATH, fname); -extload = popen(sbuff, "r"); +extload = popen_san(sbuff, "r"); if(extload) { while(get_info(extload)); @@ -295,7 +332,7 @@ } sprintf(sbuff, "%s -tree %s 2>&1", EXTLOAD_PATH, fname); -extload = popen(sbuff, "r"); +extload = popen_san(sbuff, "r"); if(extload) { while(get_scopename(xc, extload)); @@ -482,7 +519,7 @@ if(suffix_check(vname, "."EXTLOAD_SUFFIX) || suffix_check(vname, "."EXTLOAD_SUFFIX".gz") || suffix_check(vname, "."EXTLOAD_SUFFIX".bz2")) { sprintf(bin_fixbuff, EXTCONV_PATH" %s", vname); - f = popen(bin_fixbuff, "r"); + f = popen_san(bin_fixbuff, "r"); is_popen = 1; is_extload = 1; #ifndef _WAVE_HAVE_JUDY @@ -497,7 +534,7 @@ if(suffix_check(vname, "."EXT2LOAD_SUFFIX)) { sprintf(bin_fixbuff, EXT2CONV_PATH" %s", vname); - f = popen(bin_fixbuff, "r"); + f = popen_san(bin_fixbuff, "r"); is_popen = 1; } else @@ -506,7 +543,7 @@ if(suffix_check(vname, "."EXT3LOAD_SUFFIX)) { sprintf(bin_fixbuff, EXT3CONV_PATH" %s", vname); - f = popen(bin_fixbuff, "r"); + f = popen_san(bin_fixbuff, "r"); is_popen = 1; } else diff -Nru gtkwave-3.3.116/src/helpers/vcd2lxt2.c gtkwave-3.3.118/src/helpers/vcd2lxt2.c --- gtkwave-3.3.116/src/helpers/vcd2lxt2.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/helpers/vcd2lxt2.c 2023-12-31 23:11:04.000000000 +0200 @@ -145,6 +145,53 @@ /******************************************************************/ +/* + * report abort messages + */ +static void chk_report_abort(const char *s) +{ +fprintf(stderr,"Triggered %s security check, exiting.\n", s); +abort(); +} + +/******************************************************************/ + +static FILE *popen_san(const char *command, const char *type) /* TALOS-2023-1786 */ +{ +const char *p = command; +int is_ok = 1; +char ch; + +while(p && (ch = *(p++))) + { + switch(ch) + { + case '&': + case '|': + case ';': + case '\n': + case '`': + case '$': + is_ok = 0; + + default: + break; + } + } + +if(is_ok) + { + return(popen(command, type)); + } +else + { + fprintf(stderr, "GTKWAVE | TALOS-2023-1786: popen() command string '%s' may not be properly sanitized, blocking command.\n", command); + return(NULL); + } +} + +/******************************************************************/ + static unsigned int vcd_minid = ~0; static unsigned int vcd_maxid = 0; @@ -199,6 +246,8 @@ { return(indexed[hsh-vcd_minid]); } + + return(NULL); /* TALOS-2023-1807 */ } v=(struct vcdsymbol **)bsearch(key, sorted, numsyms, @@ -561,7 +610,16 @@ { if(len==T_MAX_STR) { - yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1); + if(!varsplit) + { + yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1); + } + else /* TALOS-2023-1806 */ + { + int vsplit_len = varsplit - yytext; /* save old len */ + yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1); + varsplit = yytext+vsplit_len; /* reconstruct old len in new buffer */ + } } ch=getch(); @@ -930,7 +988,7 @@ } else { - if(yylen_cache<v->size) + if(yylen_cache<=v->size) /* TALOS-2023-1804 */ { free_2(vector); vector=malloc_2(v->size+1); @@ -1139,6 +1197,11 @@ int vtok; struct vcdsymbol *v=NULL; + if(header_over) + { + chk_report_abort("TALOS-2023-1805: $var after $enddefinitions"); + } + var_prevch=0; if(varsplit) { @@ -1585,7 +1648,7 @@ str=(char *)wave_alloca(strlen(fname)+dlen+1); strcpy(str,WAVE_DECOMPRESSOR); strcpy(str+dlen,fname); - vcd_handle=popen(str,"r"); + vcd_handle=popen_san(str,"r"); vcd_is_compressed=~0; } else diff -Nru gtkwave-3.3.116/src/helpers/vcd2lxt.c gtkwave-3.3.118/src/helpers/vcd2lxt.c --- gtkwave-3.3.116/src/helpers/vcd2lxt.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/helpers/vcd2lxt.c 2023-12-31 23:11:04.000000000 +0200 @@ -139,6 +139,53 @@ /******************************************************************/ +/* + * report abort messages + */ +static void chk_report_abort(const char *s) +{ +fprintf(stderr,"Triggered %s security check, exiting.\n", s); +abort(); +} + +/******************************************************************/ + +static FILE *popen_san(const char *command, const char *type) /* TALOS-2023-1786 */ +{ +const char *p = command; +int is_ok = 1; +char ch; + +while(p && (ch = *(p++))) + { + switch(ch) + { + case '&': + case '|': + case ';': + case '\n': + case '`': + case '$': + is_ok = 0; + + default: + break; + } + } + +if(is_ok) + { + return(popen(command, type)); + } +else + { + fprintf(stderr, "GTKWAVE | TALOS-2023-1786: popen() command string '%s' may not be properly sanitized, blocking command.\n", command); + return(NULL); + } +} + +/******************************************************************/ + static unsigned int vcd_minid = ~0; static unsigned int vcd_maxid = 0; @@ -193,6 +240,8 @@ { return(indexed[hsh-vcd_minid]); } + + return(NULL); /* TALOS-2023-1807 */ } v=(struct vcdsymbol **)bsearch(key, sorted, numsyms, @@ -556,7 +605,16 @@ { if(len==T_MAX_STR) { - yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1); + if(!varsplit) + { + yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1); + } + else /* TALOS-2023-1806 */ + { + int vsplit_len = varsplit - yytext; /* save old len */ + yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1); + varsplit = yytext+vsplit_len; /* reconstruct old len in new buffer */ + } } ch=getch(); @@ -925,7 +983,7 @@ } else { - if(yylen_cache<v->size) + if(yylen_cache<=v->size) /* TALOS-2023-1804 */ { free_2(vector); vector=malloc_2(v->size+1); @@ -1137,6 +1195,11 @@ int vtok; struct vcdsymbol *v=NULL; + if(header_over) + { + chk_report_abort("TALOS-2023-1805: $var after $enddefinitions"); + } + var_prevch=0; if(varsplit) { @@ -1661,7 +1724,7 @@ str=(char *)wave_alloca(strlen(fname)+dlen+1); strcpy(str,WAVE_DECOMPRESSOR); strcpy(str+dlen,fname); - vcd_handle=popen(str,"r"); + vcd_handle=popen_san(str,"r"); vcd_is_compressed=~0; } else diff -Nru gtkwave-3.3.116/src/helpers/vcd2vzt.c gtkwave-3.3.118/src/helpers/vcd2vzt.c --- gtkwave-3.3.116/src/helpers/vcd2vzt.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/helpers/vcd2vzt.c 2023-12-31 23:11:04.000000000 +0200 @@ -147,6 +147,53 @@ /******************************************************************/ +/* + * report abort messages + */ +static void chk_report_abort(const char *s) +{ +fprintf(stderr,"Triggered %s security check, exiting.\n", s); +abort(); +} + +/******************************************************************/ + +static FILE *popen_san(const char *command, const char *type) /* TALOS-2023-1786 */ +{ +const char *p = command; +int is_ok = 1; +char ch; + +while(p && (ch = *(p++))) + { + switch(ch) + { + case '&': + case '|': + case ';': + case '\n': + case '`': + case '$': + is_ok = 0; + + default: + break; + } + } + +if(is_ok) + { + return(popen(command, type)); + } +else + { + fprintf(stderr, "GTKWAVE | TALOS-2023-1786: popen() command string '%s' may not be properly sanitized, blocking command.\n", command); + return(NULL); + } +} + +/******************************************************************/ + static unsigned int vcd_minid = ~0; static unsigned int vcd_maxid = 0; @@ -201,6 +248,8 @@ { return(indexed[hsh-vcd_minid]); } + + return(NULL); /* TALOS-2023-1807 */ } v=(struct vcdsymbol **)bsearch(key, sorted, numsyms, @@ -563,7 +612,16 @@ { if(len==T_MAX_STR) { - yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1); + if(!varsplit) + { + yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1); + } + else /* TALOS-2023-1806 */ + { + int vsplit_len = varsplit - yytext; /* save old len */ + yytext=(char *)realloc_2(yytext, (T_MAX_STR=T_MAX_STR*2)+1); + varsplit = yytext+vsplit_len; /* reconstruct old len in new buffer */ + } } ch=getch(); @@ -932,7 +990,7 @@ } else { - if(yylen_cache<v->size) + if(yylen_cache<=v->size) /* TALOS-2023-1804 */ { free_2(vector); vector=malloc_2(v->size+1); @@ -1149,6 +1207,11 @@ int vtok; struct vcdsymbol *v=NULL; + if(header_over) + { + chk_report_abort("TALOS-2023-1805: $var after $enddefinitions"); + } + var_prevch=0; if(varsplit) { @@ -1595,7 +1658,7 @@ str=(char *)wave_alloca(strlen(fname)+dlen+1); strcpy(str,WAVE_DECOMPRESSOR); strcpy(str+dlen,fname); - vcd_handle=popen(str,"r"); + vcd_handle=popen_san(str,"r"); vcd_is_compressed=~0; } else diff -Nru gtkwave-3.3.116/src/helpers/vzt_read.c gtkwave-3.3.118/src/helpers/vzt_read.c --- gtkwave-3.3.116/src/helpers/vzt_read.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/helpers/vzt_read.c 2023-12-31 23:11:04.000000000 +0200 @@ -38,6 +38,17 @@ /****************************************************************************/ +/* + * report abort messages + */ +static void chk_report_abort(const char *s) +{ +fprintf(stderr,"Triggered %s security check, exiting.\n", s); +abort(); +} + +/****************************************************************************/ + static int is_big_endian(void) { union @@ -326,6 +337,13 @@ if(num_time_ticks != 0) { vztint64_t cur_time; + { + size_t chk_x = num_time_ticks * sizeof(vztint64_t); + if((chk_x / sizeof(vztint64_t)) != num_time_ticks) + { + chk_report_abort("TALOS-2023-1814"); + } + } times = malloc(num_time_ticks * sizeof(vztint64_t)); times[0] = cur_time = vzt_rd_get_v64(&pnt); for(i=1;i<num_time_ticks;i++) @@ -340,6 +358,13 @@ vztint64_t cur_time = b->start; num_time_ticks = b->end - b->start + 1; + { + size_t chk_x = num_time_ticks * sizeof(vztint64_t); + if((chk_x / sizeof(vztint64_t)) != num_time_ticks) + { + chk_report_abort("TALOS-2023-1814"); + } + } times = malloc(num_time_ticks * sizeof(vztint64_t)); for(i=0;i<num_time_ticks;i++) @@ -360,6 +385,20 @@ vztint32_t first_bit = 0, curr_bit = 0; vztint32_t runlen; + if(num_sections && num_dict_entries) + { + size_t chk_x = (num_sections * num_dict_entries); + size_t chk_y = chk_x * sizeof(vztint32_t); + + if((chk_x/num_sections) != num_dict_entries) + { + chk_report_abort("TALOS-2023-1815"); + } + if((chk_y/sizeof(vztint32_t)) != chk_x) + { + chk_report_abort("TALOS-2023-1815"); + } + } val_dict = calloc(1, b->num_rle_bytes = (num_dict_words = num_sections * num_dict_entries) * sizeof(vztint32_t)); curr_dec_dict = val_dict; @@ -444,7 +483,20 @@ } } +if(num_sections && num_dict_entries) + { + size_t chk_x = (num_sections * num_dict_entries); + size_t chk_y = chk_x * sizeof(vztint32_t); + if((chk_x/num_sections) != num_dict_entries) + { + chk_report_abort("TALOS-2023-1815"); + } + if((chk_y/sizeof(vztint32_t)) != chk_x) + { + chk_report_abort("TALOS-2023-1815"); + } + } num_dict_words = (num_sections * num_dict_entries) * sizeof(vztint32_t); change_dict = malloc(num_dict_words ? num_dict_words : sizeof(vztint32_t)); /* scan-build */ m = 0; @@ -866,10 +918,17 @@ i2 = vzt_rd_next_value_chg_time(lt, b, i, idx); if(i2) { - struct vzt_ncycle_autosort *t = autosort[i2]; - - autofacs[idx].next = t; - autosort[i2] = autofacs+idx; + if(i2 < b->num_time_ticks) + { + struct vzt_ncycle_autosort *t = autosort[i2]; + + autofacs[idx].next = t; + autosort[i2] = autofacs+idx; + } + else + { + chk_report_abort("TALOS-2023-1817"); + } } else { @@ -917,10 +976,17 @@ if(i2!=i) { - struct vzt_ncycle_autosort *ta = autosort[i2]; + if(i2 < b->num_time_ticks) + { + struct vzt_ncycle_autosort *ta = autosort[i2]; - autofacs[idx].next = ta; - autosort[i2] = autofacs+idx; + autofacs[idx].next = ta; + autosort[i2] = autofacs+idx; + } + else + { + chk_report_abort("TALOS-2023-1817"); + } } else { @@ -1131,12 +1197,24 @@ clonecnt=vzt_rd_get_16(lt->faccache->n, 0); lt->faccache->n+=2; pnt=lt->faccache->bufcurr; + if(clonecnt > lt->longestname) + { + chk_report_abort("TALOS-2023-1813"); + } + for(j=0;j<clonecnt;j++) { *(pnt++) = lt->faccache->bufprev[j]; } - while((*(pnt++)=vzt_rd_get_byte(lt->faccache->n++,0))); + char *bufcurr_exceeded = lt->faccache->bufcurr + (lt->longestname+1); + do + { + if(bufcurr_exceeded == pnt) + { + chk_report_abort("TALOS-2023-1813"); + } + } while((*(pnt++)=vzt_rd_get_byte(lt->faccache->n++,0))); lt->faccache->old_facidx = facidx; return(lt->faccache->bufcurr); } @@ -1853,6 +1931,13 @@ pos = pos+lt->zfacgeometrysize; + { + size_t chk_x = lt->numfacs * sizeof(vztint32_t); + if((chk_x / sizeof(vztint32_t)) != lt->numfacs) + { + chk_report_abort("TALOS-2023-1812"); + } + } lt->rows = malloc(lt->numfacs * sizeof(vztint32_t)); lt->msb = malloc(lt->numfacs * sizeof(vztsint32_t)); lt->lsb = malloc(lt->numfacs * sizeof(vztsint32_t)); @@ -1887,6 +1972,14 @@ } } + if(sizeof(size_t) < sizeof(uint64_t)) + { + if(lt->longest_len == 0xffffffff) + { + chk_report_abort("TALOS-2023-1816"); + } + } + vindex_offset = 0; /* offset in value table */ for(lt->numrealfacs=0; lt->numrealfacs<lt->numfacs; lt->numrealfacs++) { diff -Nru gtkwave-3.3.116/src/libghw.c gtkwave-3.3.118/src/libghw.c --- gtkwave-3.3.116/src/libghw.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/libghw.c 2023-12-31 23:11:04.000000000 +0200 @@ -22,6 +22,7 @@ #include <unistd.h> #include "libghw.h" +#include "debug.h" /* Reopen H through decompressor DECOMP. */ @@ -33,7 +34,7 @@ snprintf (p, plen, "%s %s", decomp, filename); fclose (h->stream); - h->stream = popen (p, "r"); + h->stream = popen_san (p, "r"); free (p); if (h->stream == NULL) diff -Nru gtkwave-3.3.116/src/liblzma/LzmaLib.c gtkwave-3.3.118/src/liblzma/LzmaLib.c --- gtkwave-3.3.116/src/liblzma/LzmaLib.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/liblzma/LzmaLib.c 2023-12-31 23:11:04.000000000 +0200 @@ -51,6 +51,16 @@ }; +/* + * report abort messages + */ +static void chk_report_abort(const char *s) +{ +fprintf(stderr,"Triggered %s security check, exiting.\n", s); +abort(); +} + + static void LZMA_write_varint(struct lzma_handle_t *h, size_t v) { size_t nxt; @@ -72,16 +82,22 @@ /* ifdef is warnings fix if XZ is not present */ static size_t LZMA_read_varint(struct lzma_handle_t *h) { -unsigned char buf[16]; +int chk_len = 16; /* TALOS-2023-1811 */ +unsigned char buf[chk_len]; int idx = 0; size_t rc = 0; -for(;;) +while(idx<chk_len) { h->read_cnt += read(h->fd, buf+idx, 1); if(buf[idx++] & 0x80) break; } +if(idx == chk_len) + { + chk_report_abort("TALOS-2023-1811"); + } + do { idx--; @@ -324,6 +340,21 @@ srclen = LZMA_read_varint(h); + if(srclen > h->blksiz) /* TALOS-2023-1810 */ + { + if(h->dmem) + { + free(h->dmem); + } + if(h->mem) + { + free(h->mem); + } + h->blksiz = srclen; + h->mem = malloc(h->blksiz); + h->dmem = malloc(h->blksiz); + } + if(!srclen) { h->read_cnt += (rc = read(h->fd, h->mem, dstlen)); @@ -335,7 +366,7 @@ lzma_stream strm = LZMA_STREAM_INIT; lzma_ret lrc; - h->read_cnt += (rc = read(h->fd, h->dmem, srclen)); + h->read_cnt += (rc = read(h->fd, h->dmem, srclen)); /* TALOS-2023-1810: srclen used here, generally ok as data are compressible */ lrc = lzma_alone_decoder(&strm, LZMA_DECODER_SIZE); if(lrc != LZMA_OK) diff -Nru gtkwave-3.3.116/src/main.c gtkwave-3.3.118/src/main.c --- gtkwave-3.3.116/src/main.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/main.c 2023-12-31 23:11:04.000000000 +0200 @@ -1926,7 +1926,7 @@ str=wave_alloca(strlen(wname)+dlen+1); strcpy(str,WAVE_DECOMPRESSOR); strcpy(str+dlen,wname); - wave=popen(str,"r"); + wave=popen_san(str,"r"); wave_is_compressed=~0; } else @@ -1974,7 +1974,7 @@ if(wave_is_compressed) { pclose(wave); - wave=popen(str,"r"); + wave=popen_san(str,"r"); } else { diff -Nru gtkwave-3.3.116/src/ptranslate.c gtkwave-3.3.118/src/ptranslate.c --- gtkwave-3.3.116/src/ptranslate.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/ptranslate.c 2023-12-31 23:11:04.000000000 +0200 @@ -166,7 +166,7 @@ #if !defined __MINGW32__ cmd = (char *)malloc_2(strlen(exec_name)+6+1); sprintf(cmd, "which %s", exec_name); - stream = popen(cmd, "r"); + stream = popen_san(cmd, "r"); result = fscanf(stream, "%s", abs_path); diff -Nru gtkwave-3.3.116/src/savefile.c gtkwave-3.3.118/src/savefile.c --- gtkwave-3.3.116/src/savefile.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/savefile.c 2023-12-31 23:11:04.000000000 +0200 @@ -667,7 +667,7 @@ str=wave_alloca(strlen(wname)+5+1); strcpy(str,"zcat "); strcpy(str+5,wname); - wave=popen(str,"r"); + wave=popen_san(str,"r"); wave_is_compressed=~0; } else @@ -804,7 +804,7 @@ if(wave_is_compressed) { pclose(wave); - wave=popen(str,"r"); + wave=popen_san(str,"r"); } else { diff -Nru gtkwave-3.3.116/src/ttranslate.c gtkwave-3.3.118/src/ttranslate.c --- gtkwave-3.3.116/src/ttranslate.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/ttranslate.c 2023-12-31 23:11:04.000000000 +0200 @@ -187,7 +187,7 @@ #if !defined __MINGW32__ cmd = (char *)malloc_2(strlen(exec_name)+6+1); sprintf(cmd, "which %s", exec_name); - stream = popen(cmd, "r"); + stream = popen_san(cmd, "r"); result = fscanf(stream, "%s", abs_path); diff -Nru gtkwave-3.3.116/src/vcd.c gtkwave-3.3.118/src/vcd.c --- gtkwave-3.3.116/src/vcd.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/vcd.c 2023-12-31 23:11:04.000000000 +0200 @@ -549,7 +549,16 @@ { if(len==GLOBALS->T_MAX_STR_vcd_c_1) { - GLOBALS->yytext_vcd_c_1=(char *)realloc_2(GLOBALS->yytext_vcd_c_1, (GLOBALS->T_MAX_STR_vcd_c_1=GLOBALS->T_MAX_STR_vcd_c_1*2)+1); + if(!GLOBALS->varsplit_vcd_c_1) + { + GLOBALS->yytext_vcd_c_1=(char *)realloc_2(GLOBALS->yytext_vcd_c_1, (GLOBALS->T_MAX_STR_vcd_c_1=GLOBALS->T_MAX_STR_vcd_c_1*2)+1); + } + else /* TALOS-2023-1806 */ + { + int vsplit_len = GLOBALS->varsplit_vcd_c_1 - GLOBALS->yytext_vcd_c_1; /* save old len */ + GLOBALS->yytext_vcd_c_1=(char *)realloc_2(GLOBALS->yytext_vcd_c_1, (GLOBALS->T_MAX_STR_vcd_c_1=GLOBALS->T_MAX_STR_vcd_c_1*2)+1); + GLOBALS->varsplit_vcd_c_1 = GLOBALS->yytext_vcd_c_1+vsplit_len; /* reconstruct old len in new buffer */ + } } ch=getch(); @@ -962,7 +971,7 @@ } else { - if(GLOBALS->yylen_cache_vcd_c_1<v->size) + if(GLOBALS->yylen_cache_vcd_c_1<=v->size) /* TALOS-2023-1804 */ { free_2(vector); vector=malloc_2(v->size+1); @@ -1245,7 +1254,7 @@ sync_end(NULL); break; case T_VAR: - if((GLOBALS->header_over_vcd_c_1)&&(0)) + if(GLOBALS->header_over_vcd_c_1) /* reinstated because of TALOS-2023-1805 */ { fprintf(stderr,"$VAR encountered after $ENDDEFINITIONS near byte %d. VCD is malformed, exiting.\n", (int)(GLOBALS->vcdbyteno_vcd_c_1+(GLOBALS->vst_vcd_c_1-GLOBALS->vcdbuf_vcd_c_1))); @@ -2626,7 +2635,7 @@ str=wave_alloca(strlen(fname)+dlen+1); strcpy(str,WAVE_DECOMPRESSOR); strcpy(str+dlen,fname); - GLOBALS->vcd_handle_vcd_c_1=popen(str,"r"); + GLOBALS->vcd_handle_vcd_c_1=popen_san(str,"r"); GLOBALS->vcd_is_compressed_vcd_c_1=~0; } else diff -Nru gtkwave-3.3.116/src/vcd_partial.c gtkwave-3.3.118/src/vcd_partial.c --- gtkwave-3.3.116/src/vcd_partial.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/vcd_partial.c 2023-12-31 23:11:04.000000000 +0200 @@ -525,7 +525,16 @@ { if(len==GLOBALS->T_MAX_STR_vcd_partial_c_2) { - GLOBALS->yytext_vcd_partial_c_2=(char *)realloc_2(GLOBALS->yytext_vcd_partial_c_2, (GLOBALS->T_MAX_STR_vcd_partial_c_2=GLOBALS->T_MAX_STR_vcd_partial_c_2*2)+1); + if(!GLOBALS->varsplit_vcd_partial_c_2) + { + GLOBALS->yytext_vcd_partial_c_2=(char *)realloc_2(GLOBALS->yytext_vcd_partial_c_2, (GLOBALS->T_MAX_STR_vcd_partial_c_2=GLOBALS->T_MAX_STR_vcd_partial_c_2*2)+1); + } + else /* TALOS-2023-1806 */ + { + int vsplit_len = GLOBALS->varsplit_vcd_partial_c_2 - GLOBALS->yytext_vcd_partial_c_2; /* save old len */ + GLOBALS->yytext_vcd_partial_c_2=(char *)realloc_2(GLOBALS->yytext_vcd_partial_c_2, (GLOBALS->T_MAX_STR_vcd_partial_c_2=GLOBALS->T_MAX_STR_vcd_partial_c_2*2)+1); + GLOBALS->varsplit_vcd_partial_c_2 = GLOBALS->yytext_vcd_partial_c_2+vsplit_len; /* reconstruct old len in new buffer */ + } } ch=getch(); @@ -898,7 +907,7 @@ } else { - if(GLOBALS->yylen_cache_vcd_partial_c_2<v->size) + if(GLOBALS->yylen_cache_vcd_partial_c_2<=v->size) /* TALOS-2023-1804 */ { free_2(vector); vector=malloc_2(v->size+1); @@ -1193,11 +1202,11 @@ sync_end(NULL); break; case T_VAR: - if((GLOBALS->header_over_vcd_partial_c_2)&&(0)) + if(GLOBALS->header_over_vcd_partial_c_2) /* reinstated because of TALOS-2023-1805 */ { fprintf(stderr,"$VAR encountered after $ENDDEFINITIONS near byte %d. VCD is malformed, exiting.\n", (int)(GLOBALS->vcdbyteno_vcd_partial_c_2+(GLOBALS->vst_vcd_partial_c_2-GLOBALS->vcdbuf_vcd_partial_c_2))); - exit(0); + exit(255); } else { diff -Nru gtkwave-3.3.116/src/vcd_recoder.c gtkwave-3.3.118/src/vcd_recoder.c --- gtkwave-3.3.116/src/vcd_recoder.c 2023-07-23 03:37:07.000000000 +0300 +++ gtkwave-3.3.118/src/vcd_recoder.c 2023-12-31 23:11:04.000000000 +0200 @@ -1054,7 +1054,16 @@ { if(len==GLOBALS->T_MAX_STR_vcd_recoder_c_3) { - GLOBALS->yytext_vcd_recoder_c_3=(char *)realloc_2(GLOBALS->yytext_vcd_recoder_c_3, (GLOBALS->T_MAX_STR_vcd_recoder_c_3=GLOBALS->T_MAX_STR_vcd_recoder_c_3*2)+1); + if(!GLOBALS->varsplit_vcd_recoder_c_3) + { + GLOBALS->yytext_vcd_recoder_c_3=(char *)realloc_2(GLOBALS->yytext_vcd_recoder_c_3, (GLOBALS->T_MAX_STR_vcd_recoder_c_3=GLOBALS->T_MAX_STR_vcd_recoder_c_3*2)+1); + } + else /* TALOS-2023-1806 */ + { + int vsplit_len = GLOBALS->varsplit_vcd_recoder_c_3 - GLOBALS->yytext_vcd_recoder_c_3; /* save old len */ + GLOBALS->yytext_vcd_recoder_c_3=(char *)realloc_2(GLOBALS->yytext_vcd_recoder_c_3, (GLOBALS->T_MAX_STR_vcd_recoder_c_3=GLOBALS->T_MAX_STR_vcd_recoder_c_3*2)+1); + GLOBALS->varsplit_vcd_recoder_c_3 = GLOBALS->yytext_vcd_recoder_c_3+vsplit_len; /* reconstruct old len in new buffer */ + } } ch=getch(); @@ -1587,7 +1596,7 @@ sync_end(NULL); break; case T_VAR: - if((GLOBALS->header_over_vcd_recoder_c_3)&&(0)) + if(GLOBALS->header_over_vcd_recoder_c_3) /* reinstated because of TALOS-2023-1805 */ { fprintf(stderr,"$VAR encountered after $ENDDEFINITIONS near byte %d. VCD is malformed, exiting.\n", (int)(GLOBALS->vcdbyteno_vcd_recoder_c_3+(GLOBALS->vst_vcd_recoder_c_3-GLOBALS->vcdbuf_vcd_recoder_c_3))); @@ -2816,7 +2825,7 @@ str=wave_alloca(strlen(fname)+dlen+1); strcpy(str,WAVE_DECOMPRESSOR); strcpy(str+dlen,fname); - GLOBALS->vcd_handle_vcd_recoder_c_2=popen(str,"r"); + GLOBALS->vcd_handle_vcd_recoder_c_2=popen_san(str,"r"); GLOBALS->vcd_is_compressed_vcd_recoder_c_2=~0; } else