Fix CVE-2017-7960: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7960 Patch copied from upstream source repository: https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 From 898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 Mon Sep 17 00:00:00 2001 From: Ignacio Casal Quinteiro Date: Sun, 16 Apr 2017 13:13:43 +0200 Subject: input: check end of input before reading a byte When reading bytes we weren't check that the index wasn't out of bound and this could produce an invalid read which could deal to a security bug. --- src/cr-input.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/cr-input.c b/src/cr-input.c index 49000b1..3b63a88 100644 --- a/src/cr-input.c +++ b/src/cr-input.c @@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc) *we should free buf here because it's own by CRInput. *(see the last parameter of cr_input_new_from_buf(). */ - buf = NULL ; + buf = NULL; } cleanup: @@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this) enum CRStatus cr_input_read_byte (CRInput * a_this, guchar * a_byte) { + gulong nb_bytes_left = 0; + g_return_val_if_fail (a_this && PRIVATE (a_this) && a_byte, CR_BAD_PARAM_ERROR); @@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte) if (PRIVATE (a_this)->end_of_input == TRUE) return CR_END_OF_INPUT_ERROR; + nb_bytes_left = cr_input_get_nb_bytes_left (a_this); + + if (nb_bytes_left < 1) { + return CR_END_OF_INPUT_ERROR; + } + *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index]; if (PRIVATE (a_this)->nb_bytes - @@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char) if (*a_char == '\n') { PRIVATE (a_this)->end_of_line = TRUE; } - } return status; -- cgit v0.12