[sword-devel] [PATCH] filters: Fixed a number of buffer overflows due to buffers being too short for sprintf.
Jaak Ristioja
jaak at ristioja.ee
Wed Sep 27 22:39:53 MST 2017
Hello!
A recent version of GCC discovered a number of exploitable buffer
overflows in Sword++. Find as attachment a patch ported for Sword master.
J
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sprintf-overflows-fix.patch
Type: text/x-patch
Size: 5028 bytes
Desc: not available
URL: <http://www.crosswire.org/pipermail/sword-devel/attachments/20170928/dd704e3b/attachment.bin>
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
commit 0a78609a1993d1a4a3bf3eebcc1eab3fd30d77e9
Author: Jaak Ristioja <jaak at ristioja.ee>
Date: Thu Sep 28 08:24:58 2017 +0300
filters: Fixed a number of buffer overflows due to buffers being too short for sprintf.
diff --git a/src/modules/filters/gbfstrongs.cpp b/src/modules/filters/gbfstrongs.cpp
index c9b5af9d..5651b875 100644
- --- a/src/modules/filters/gbfstrongs.cpp
+++ b/src/modules/filters/gbfstrongs.cpp
@@ -58,7 +58,7 @@ char GBFStrongs::processText(SWBuf &text, const SWKey *key, const SWModule *modu
bool lastspace = false;
int word = 1;
char val[128];
- - char wordstr[5];
+ char wordstr[11u];
char *valto;
unsigned int textStart = 0, textEnd = 0;
bool newText = false;
diff --git a/src/modules/filters/gbfwordjs.cpp b/src/modules/filters/gbfwordjs.cpp
index 63098a8e..f2233baf 100644
- --- a/src/modules/filters/gbfwordjs.cpp
+++ b/src/modules/filters/gbfwordjs.cpp
@@ -65,7 +65,7 @@ char GBFWordJS::processText(SWBuf &text, const SWKey *key, const SWModule *modul
bool intoken = false;
int word = 1;
char val[128];
- - char wordstr[5];
+ char wordstr[11u];
unsigned int textStart = 0, lastAppendLen = 0, textEnd = 0;
SWBuf tmp;
bool newText = false;
@@ -137,7 +137,7 @@ char GBFWordJS::processText(SWBuf &text, const SWKey *key, const SWModule *modul
text += token;
text += '>';
if (needWordOut) {
- - char wstr[10];
+ char wstr[11u];
sprintf(wstr, "%03d", word-2);
AttributeValue *wAttrs = &(module->getEntryAttributes()["Word"][wstr]);
needWordOut = false;
@@ -234,7 +234,7 @@ char GBFWordJS::processText(SWBuf &text, const SWKey *key, const SWModule *modul
}
}
- - char wstr[10];
+ char wstr[11u];
sprintf(wstr, "%03d", word-1);
AttributeValue *wAttrs = &(module->getEntryAttributes()["Word"][wstr]);
needWordOut = false;
diff --git a/src/modules/filters/greeklexattribs.cpp b/src/modules/filters/greeklexattribs.cpp
index cd04d30e..048c4acb 100644
- --- a/src/modules/filters/greeklexattribs.cpp
+++ b/src/modules/filters/greeklexattribs.cpp
@@ -44,7 +44,7 @@ char GreekLexAttribs::processText(SWBuf &text, const SWKey *key, const SWModule
string phrase;
string freq;
char val[128], *valto;
- - char wordstr[7];
+ char wordstr[11u];
const char *currentPhrase = 0;
const char *currentPhraseEnd = 0;
int number = 0;
diff --git a/src/modules/filters/osisstrongs.cpp b/src/modules/filters/osisstrongs.cpp
index 898aa666..cf82202d 100644
- --- a/src/modules/filters/osisstrongs.cpp
+++ b/src/modules/filters/osisstrongs.cpp
@@ -57,7 +57,7 @@ char OSISStrongs::processText(SWBuf &text, const SWKey *key, const SWModule *mod
SWBuf token;
bool intoken = false;
int wordNum = 1;
- - char wordstr[5];
+ char wordstr[11u];
const char *wordStart = 0;
SWBuf page = ""; // some modules include <seg> page info, so we add these to the words
diff --git a/src/modules/filters/osiswordjs.cpp b/src/modules/filters/osiswordjs.cpp
index b76b942c..3977b6eb 100644
- --- a/src/modules/filters/osiswordjs.cpp
+++ b/src/modules/filters/osiswordjs.cpp
@@ -66,7 +66,7 @@ char OSISWordJS::processText(SWBuf &text, const SWKey *key, const SWModule *modu
int tokpos = 0;
bool intoken = false;
int wordNum = 1;
- - char wordstr[5];
+ char wordstr[11u];
SWBuf modName = (module)?module->getName():"";
// add TR to w src in KJV then remove this next line
SWBuf wordSrcPrefix = (modName == "KJV")?SWBuf("TR"):modName;
diff --git a/src/modules/filters/thmlstrongs.cpp b/src/modules/filters/thmlstrongs.cpp
index 524ebfcc..f7b4f9ed 100644
- --- a/src/modules/filters/thmlstrongs.cpp
+++ b/src/modules/filters/thmlstrongs.cpp
@@ -60,7 +60,7 @@ char ThMLStrongs::processText(SWBuf &text, const SWKey *key, const SWModule *mod
bool lastspace = false;
int word = 1;
char val[128];
- - char wordstr[5];
+ char wordstr[11u];
char *valto;
char *ch;
unsigned int textStart = 0, textEnd = 0;
diff --git a/src/modules/filters/thmlwordjs.cpp b/src/modules/filters/thmlwordjs.cpp
index f20f6384..93e19b05 100644
- --- a/src/modules/filters/thmlwordjs.cpp
+++ b/src/modules/filters/thmlwordjs.cpp
@@ -68,7 +68,7 @@ char ThMLWordJS::processText(SWBuf &text, const SWKey *key, const SWModule *modu
char val[128];
char *valto;
char *ch;
- - char wordstr[5];
+ char wordstr[11u];
unsigned int textStart = 0, lastAppendLen = 0, textEnd = 0;
SWBuf tmp;
bool newText = false;
@@ -151,7 +151,7 @@ char ThMLWordJS::processText(SWBuf &text, const SWKey *key, const SWModule *modu
text += token;
text += '>';
if (needWordOut) {
- - char wstr[10];
+ char wstr[11u];
sprintf(wstr, "%03d", word-2);
AttributeValue *wAttrs = &(module->getEntryAttributes()["Word"][wstr]);
needWordOut = false;
@@ -248,7 +248,7 @@ char ThMLWordJS::processText(SWBuf &text, const SWKey *key, const SWModule *modu
}
}
- - char wstr[10];
+ char wstr[11u];
sprintf(wstr, "%03d", word-1);
AttributeValue *wAttrs = &(module->getEntryAttributes()["Word"][wstr]);
needWordOut = false;
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEMMPmmwJj7NabNzo/ZljyeG9R3q8FAlnMim8ACgkQZljyeG9R
3q94ZQ/5AUv8NNYDlKzQbvUkV3vGhPgZQkH2s+0LsI6CbTiWyeyh02mY7Cds5O0X
wtVdVYwt56Qe3GznhGFuViqmsIa/gWPfUZcUpfyPzzj02Un8MrbsKDqJ9o5DGU2x
/LK3gxNdsbvAcF6bujf1iwU7eZ7cJERU7K5B9tEEDf9lihH8BdXskmjOhEyD8EdV
sKkozQdu7QznxmGPPVPXwwcd4/ra3sOfbqQ8V8HnUTlDc/1JcQJTbz1YareICHrB
yHGwN4nn743J3u49KPXTsRcg8fF6JIp0QTfGz0/1BOnVNe9eIyUV+erKYquAex7y
i2Yhj9v2AVRIK/2xGAiFaY3ZWAV2IagtKTlpmayAjSej0lleOP6gTzxbZdnG/oJ1
kW3So/vB01J1756mKpigernMofsiepUk/jJanlEgk+wewtuRB9iONNakaGHXJKmJ
uAFux+qfVuKrTGXo63ISfbTp2kRq4UFaPwRexaPZkU6uB5drGMRl/OtuKBzloe/f
g+ao39y4L3eedyr1vFH0gtbPCzA1IEZuoywdD2tZttYarCOo6XpZI/FhKEAQ3Y+v
ZG3Qrt4uP05AKRDV7KbZtQm3uEhZU3LvThvqXa8qzzMYLBCqh0elG7/GDi6X7KKI
c3Fts3H/+hxI5w8HKDlqxlMlFgK77QMGdlrTVz9JBlaAY592CtA=
=MR/J
-----END PGP SIGNATURE-----
More information about the sword-devel
mailing list