A voluntary security review of the importers by infamous41md has turned
up three buffer overflow errors in the xfig import code. These errors
have existed since the code was first created in version 0.87, but are
corrected as of version 0.95-pre6. The attached patch fixes them for
version 0.94.
-Lars
diff -u /tmp/dia-0.94/plug-ins/xfig/xfig.h ./xfig.h
--- /tmp/dia-0.94/plug-ins/xfig/xfig.h 2004-08-16 09:56:21.000000000 +0200
+++ ./xfig.h 2006-03-29 21:40:15.000000000 +0200
@@ -6,6 +6,7 @@
#define FIG_MAX_DEFAULT_COLORS 32
#define FIG_MAX_USER_COLORS 512
+#define FIG_MAX_DEPTHS 1000
/* 1200 PPI */
#define FIG_UNIT 472.440944881889763779527559055118
/* 1/80 inch */
diff -u /tmp/dia-0.94/plug-ins/xfig/xfig-import.c ./xfig-import.c
--- /tmp/dia-0.94/plug-ins/xfig/xfig-import.c 2004-08-16 09:56:21.000000000 +0200
+++ ./xfig-import.c 2006-03-29 21:40:21.000000000 +0200
@@ -441,11 +441,17 @@
static Color
fig_color(int color_index)
{
- if (color_index == -1)
+ if (color_index <= -1)
return color_black; /* Default color */
- if (color_index < FIG_MAX_DEFAULT_COLORS)
+ else if (color_index < FIG_MAX_DEFAULT_COLORS)
return fig_default_colors[color_index];
- else return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS];
+ else if (color_index < FIG_MAX_USER_COLORS)
+ return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS];
+ else {
+ message_error(_("Color index %d too high, only 512 colors allowed. Using black instead."),
+ color_index);
+ return color_black;
+ }
}
static Color
@@ -563,23 +569,25 @@
static int
fig_read_n_points(FILE *file, int n, Point **points) {
int i;
- Point *new_points;
-
- new_points = (Point*)g_malloc(sizeof(Point)*n);
+ GArray *points_list = g_array_sized_new(FALSE, FALSE, sizeof(Point), n);
for (i = 0; i < n; i++) {
int x,y;
+ Point p;
if (fscanf(file, " %d %d ", &x, &y) != 2) {
message_error(_("Error while reading %dth of %d points: %s\n"),
i, n, strerror(errno));
- free(new_points);
+ g_array_free(points_list, TRUE);
return FALSE;
}
- new_points[i].x = x/FIG_UNIT;
- new_points[i].y = y/FIG_UNIT;
+ p.x = x/FIG_UNIT;
+ p.y = y/FIG_UNIT;
+ g_array_append_val(points_list, p);
}
fscanf(file, "\n");
- *points = new_points;
+
+ *points = (Point *)points_list->data;
+ g_array_free(points_list, FALSE);
return TRUE;
}
@@ -683,7 +691,7 @@
return text_buf;
}
-static GList *depths[1000];
+static GList *depths[FIG_MAX_DEPTHS];
/* If there's something in the compound stack, we ignore the depth field,
as it will be determined by the group anyway */
@@ -693,6 +701,26 @@
level. Best we can do now. */
static int compound_depth;
+/** Add an object at a given depth. This function checks for depth limits
+ * and updates the compound depth if needed.
+ *
+ * @param newobj An object to add. If we're inside a compound, this
+ * doesn't really add the object.
+ * @param depth A depth as in the Fig format, max 999
+ */
+static void
+add_at_depth(DiaObject *newobj, int depth) {
+ if (depth < 0 || depth >= FIG_MAX_DEPTHS) {
+ message_error(_("Depth %d of of range, only 0-%d allowed.\n"),
+ depth, FIG_MAX_DEPTHS-1);
+ depth = FIG_MAX_DEPTHS - 1;
+ }
+ if (compound_stack == NULL)
+ depths[depth] = g_list_append(depths[depth], newobj);
+ else
+ if (compound_depth > depth) compound_depth = depth;
+}
+
static DiaObject *
fig_read_ellipse(FILE *file, DiagramData *dia) {
int sub_type;
@@ -749,10 +777,7 @@
/* Angle -- can't rotate yet */
/* Depth field */
- if (compound_stack == NULL)
- depths[depth] = g_list_append(depths[depth], newobj);
- else
- if (compound_depth > depth) compound_depth = depth;
+ add_at_depth(newobj, depth);
return newobj;
}
@@ -885,10 +910,7 @@
/* Cap style */
/* Depth field */
- if (compound_stack == NULL)
- depths[depth] = g_list_append(depths[depth], newobj);
- else
- if (compound_depth > depth) compound_depth = depth;
+ add_at_depth(newobj, depth);
exit:
prop_list_free(props);
g_free(forward_arrow_info);
@@ -1111,10 +1133,7 @@
/* Cap style */
/* Depth field */
- if (compound_stack == NULL)
- depths[depth] = g_list_append(depths[depth], newobj);
- else
- if (compound_depth > depth) compound_depth = depth;
+ add_at_depth(newobj, depth);
exit:
prop_list_free(props);
g_free(forward_arrow_info);
@@ -1202,10 +1221,7 @@
/* Cap style */
/* Depth field */
- if (compound_stack == NULL)
- depths[depth] = g_list_append(depths[depth], newobj);
- else
- if (compound_depth > depth) compound_depth = depth;
+ add_at_depth(newobj, depth);
exit:
g_free(forward_arrow_info);
@@ -1298,10 +1314,7 @@
newobj->ops->set_props(newobj, props);
/* Depth field */
- if (compound_stack == NULL)
- depths[depth] = g_list_append(depths[depth], newobj);
- else
- if (compound_depth > depth) compound_depth = depth;
+ add_at_depth(newobj, depth);
exit:
if (text_buf != NULL) free(text_buf);
@@ -1347,6 +1360,12 @@
return FALSE;
}
+ if (colornumber < 32 || colornumber > FIG_MAX_USER_COLORS) {
+ message_error(_("Color number %d out of range 0..%d. Discarding color.\n"),
+ colornumber, FIG_MAX_USER_COLORS);
+ return FALSE;
+ }
+
color.red = ((colorvalues & 0x00ff0000)>>16) / 255.0;
color.green = ((colorvalues & 0x0000ff00)>>8) / 255.0;
color.blue = (colorvalues & 0x000000ff) / 255.0;
@@ -1393,7 +1412,7 @@
}
/* Group extends don't really matter */
if (compound_stack == NULL)
- compound_depth = 999;
+ compound_depth = FIG_MAX_DEPTHS - 1;
compound_stack = g_slist_append(compound_stack, NULL);
return TRUE;
break;
@@ -1551,7 +1570,7 @@
for (i = 0; i < FIG_MAX_USER_COLORS; i++) {
fig_colors[i] = color_black;
}
- for (i = 0; i < 1000; i++) {
+ for (i = 0; i < FIG_MAX_DEPTHS; i++) {
depths[i] = NULL;
}
@@ -1606,7 +1625,7 @@
} while (TRUE);
/* Now we can reorder for the depth fields */
- for (i = 0; i < 1000; i++) {
+ for (i = 0; i < FIG_MAX_DEPTHS; i++) {
if (depths[i] != NULL)
layer_add_objects_first(dia->active_layer, depths[i]);
}
_______________________________________________
Dia-list mailing list
Dia-list@gnome.org
http://mail.gnome.org/mailman/listinfo/dia-list
FAQ at http://www.gnome.org/projects/dia/faq.html
Main page at http://www.gnome.org/projects/dia
