From 0ed8a4953f9179d0f077f24779f1cb51c8e9a126 Mon Sep 17 00:00:00 2001 From: ankita prasad Date: Tue, 12 Jul 2022 17:51:01 +0000 Subject: [PATCH] Fix added to mitigate CVE-2022-29458 ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library. The fix is picked from - https://github.com/mirror/ncurses/commit/4c9f63c460cb7134f142aa65f6866c175ed77605 for the file tinfo/read_entry.c. Signed-off-by: Ankita Prasad --- ncurses/tinfo/read_entry.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c index 5b570b0f..06c0c437 100644 --- a/ncurses/tinfo/read_entry.c +++ b/ncurses/tinfo/read_entry.c @@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) { int i; char *p; + bool corrupt = FALSE; for (i = 0; i < count; i++) { if (IS_NEG1(buf + 2 * i)) { @@ -154,17 +155,29 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) } else if (MyNumber(buf + 2 * i) > size) { Strings[i] = ABSENT_STRING; } else { - Strings[i] = (MyNumber(buf + 2 * i) + table); - TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i]))); + int nn = MyNumber(buf + 2 * i); + if (nn >= 0 && nn < size) { + Strings[i] = (nn + table); + TR(TRACE_DATABASE, ("Strings[%d] = %s", i, + _nc_visbuf(Strings[i]))); + } else { + if (!corrupt) { + corrupt = TRUE; + TR(TRACE_DATABASE, + ("ignore out-of-range index %d to Strings[]", nn)); + _nc_warning("corrupt data found in convert_strings"); + } + Strings[i] = ABSENT_STRING; + } } /* make sure all strings are NUL terminated */ if (VALID_STRING(Strings[i])) { - for (p = Strings[i]; p <= table + size; p++) + for (p = Strings[i]; p < table + size; p++) if (*p == '\0') break; /* if there is no NUL, ignore the string */ - if (p > table + size) + if (p >= table + size) Strings[i] = ABSENT_STRING; } } -- 2.25.1