← Back to branch summary

~ubuntu-branches/ubuntu/utopic/libmsn/utopic

« back to all changes in this revision

Viewing changes to debian/patches/02-avoid_potential_buffer_overrun.diff

  • Committer: Bazaar Package Importer
  • Author(s): Pau Garcia i Quiles
  • Date: 2009-06-10 11:58:32 UTC
  • mfrom: (1.1.4 upstream) (0.1.3 sid)
  • Revision ID: james.westby@ubuntu.com-20090610115832-luyjsx423fbxs1hp
Tags: 4.0~beta6-1
* New upstream beta release
* Remove patch for buffer overflow, as it is now included upstream. 
* Remove build-dependency on quilt, as it is no longer needed because
  there are no patches to be applied.
* Bump shlibs due to bugfix in MSNClientInformationFields enum

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/02-avoid_potential_buffer_overrun.diff
1
 
Description: fix potential overflows in XML parsing.
2
 
Ubuntu: https://bugs.launchpad.net/bugs/308060
3
 
 
4
 
Index: libmsn-4.0~beta4/msn/xmlParser.cpp
5
 
===================================================================
6
 
--- libmsn-4.0~beta4.orig/msn/xmlParser.cpp     2009-03-27 16:18:12.000000000 -0700
7
 
+++ libmsn-4.0~beta4/msn/xmlParser.cpp  2009-03-27 16:22:57.000000000 -0700
8
 
@@ -302,7 +302,14 @@
9
 
            int _tcsicmp(XMLCSTR c1, XMLCSTR c2) { return wcscasecmp(c1,c2); }
10
 
         #endif
11
 
         XMLSTR _tcsstr(XMLCSTR c1, XMLCSTR c2) { return (XMLSTR)wcsstr(c1,c2); }
12
 
-        XMLSTR _tcscpy(XMLSTR c1, XMLCSTR c2) { return (XMLSTR)wcscpy(c1,c2); }
13
 
+        XMLSTR _tcscpy(XMLSTR c1, XMLCSTR c2, int n) {
14
 
+                       if (n<=0) {
15
 
+                               return NULL;
16
 
+                       }
17
 
+            XMLSTR result=(XMLSTR)wcsncpy(c1,c2,n);
18
 
+            result[n-1]=L'\0';
19
 
+            return result;
20
 
+        }
21
 
         FILE *_tfopen(XMLCSTR filename,XMLCSTR mode)
22
 
         {
23
 
             char *filenameAscii=myWideCharToMultiByte(filename);
24
 
@@ -319,7 +326,14 @@
25
 
         int _tcsncmp(XMLCSTR c1, XMLCSTR c2, int l) { return strncmp(c1,c2,l);}
26
 
         int _tcsicmp(XMLCSTR c1, XMLCSTR c2) { return strcasecmp(c1,c2); }
27
 
         XMLSTR _tcsstr(XMLCSTR c1, XMLCSTR c2) { return (XMLSTR)strstr(c1,c2); }
28
 
-        XMLSTR _tcscpy(XMLSTR c1, XMLCSTR c2) { return (XMLSTR)strcpy(c1,c2); }
29
 
+        XMLSTR _tcscpy(XMLSTR c1, XMLCSTR c2, int n) {
30
 
+                       if (n<=0) {
31
 
+                               return NULL;
32
 
+                       }
33
 
+            XMLSTR result=(XMLSTR)strncpy(c1,c2,n);
34
 
+            result[n-1]='\0';
35
 
+            return result;
36
 
+        }
37
 
     #endif
38
 
     int _strnicmp(const char *c1,const char *c2, int l) { return strncasecmp(c1,c2,l);}
39
 
 #endif
40
 
@@ -550,28 +564,39 @@
41
 
     return lpszNew;
42
 
 }
43
 
 
44
 
-XMLSTR toXMLStringUnSafe(XMLSTR dest,XMLCSTR source)
45
 
+XMLSTR toXMLStringUnSafe(XMLSTR dest,XMLCSTR source,int length)
46
 
 {
47
 
     XMLSTR dd=dest;
48
 
     XMLCHAR ch;
49
 
     XMLCharacterEntity *entity;
50
 
-    while ((ch=*source))
51
 
+    while ((ch=*source) && length > 0)
52
 
     {
53
 
         entity=XMLEntities;
54
 
         do
55
 
         {
56
 
-            if (ch==entity->c) {_tcscpy(dest,entity->s); dest+=entity->l; source++; goto out_of_loop1; }
57
 
+            if (ch==entity->c)
58
 
+            {
59
 
+                _tcscpy(dest,entity->s,length);
60
 
+                dest+=entity->l;
61
 
+                length-=entity->l;
62
 
+                source++;
63
 
+                goto out_of_loop1;
64
 
+            }
65
 
             entity++;
66
 
         } while(entity->s);
67
 
+        if (length > 0)
68
 
+        {
69
 
 #ifdef _XMLWIDECHAR
70
 
-        *(dest++)=*(source++);
71
 
+            *(dest++)=*(source++);
72
 
+            length--;
73
 
 #else
74
 
-        switch(XML_ByteTable[(unsigned char)ch])
75
 
-        {
76
 
-        case 4: *(dest++)=*(source++);
77
 
-        case 3: *(dest++)=*(source++);
78
 
-        case 2: *(dest++)=*(source++);
79
 
-        case 1: *(dest++)=*(source++);
80
 
+            switch(XML_ByteTable[(unsigned char)ch])
81
 
+            {
82
 
+            case 4: *(dest++)=*(source++); length--; if (!length) break;
83
 
+            case 3: *(dest++)=*(source++); length--; if (!length) break;
84
 
+            case 2: *(dest++)=*(source++); length--; if (!length) break;
85
 
+            case 1: *(dest++)=*(source++); length--; if (!length) break;
86
 
+            }
87
 
         }
88
 
 #endif
89
 
 out_of_loop1:
90
 
@@ -612,7 +637,7 @@
91
 
 {
92
 
     int l=lengthXMLString(source)+1;
93
 
     if (l>buflen) { buflen=l; buf=(XMLSTR)realloc(buf,l*sizeof(XMLCHAR)); }
94
 
-    return toXMLStringUnSafe(buf,source);
95
 
+    return toXMLStringUnSafe(buf,source,buflen);
96
 
 }
97
 
 
98
 
 // private:
99
 
@@ -1708,7 +1733,7 @@
100
 
 //
101
 
 // This recurses through all subnodes then adds contents of the nodes to the
102
 
 // string.
103
 
-int XMLNode::CreateXMLStringR(XMLNodeData *pEntry, XMLSTR lpszMarker, int nFormat)
104
 
+int XMLNode::CreateXMLStringR(XMLNodeData *pEntry, XMLSTR lpszMarker, int length, int nFormat)
105
 
 {
106
 
     int nResult = 0;
107
 
     int cb;
108
 
@@ -1735,7 +1760,7 @@
109
 
             nResult = cb;
110
 
             lpszMarker[nResult++]=_T('<');
111
 
             if (pEntry->isDeclaration) lpszMarker[nResult++]=_T('?');
112
 
-            _tcscpy(&lpszMarker[nResult], pEntry->lpszName);
113
 
+            _tcscpy(&lpszMarker[nResult], pEntry->lpszName, length-nResult);
114
 
             nResult+=cbElement;
115
 
             lpszMarker[nResult++]=_T(' ');
116
 
 
117
 
@@ -1753,7 +1778,7 @@
118
 
             cb = (int)LENSTR(pAttr->lpszName);
119
 
             if (cb)
120
 
             {
121
 
-                if (lpszMarker) _tcscpy(&lpszMarker[nResult], pAttr->lpszName);
122
 
+                if (lpszMarker) _tcscpy(&lpszMarker[nResult], pAttr->lpszName, length-nResult);
123
 
                 nResult += cb;
124
 
                 // "Attrib=Value "
125
 
                 if (pAttr->lpszValue)
126
 
@@ -1763,7 +1788,7 @@
127
 
                     {
128
 
                         lpszMarker[nResult]=_T('=');
129
 
                         lpszMarker[nResult+1]=_T('"');
130
 
-                        if (cb) toXMLStringUnSafe(&lpszMarker[nResult+2],pAttr->lpszValue);
131
 
+                        if (cb) toXMLStringUnSafe(&lpszMarker[nResult+2],pAttr->lpszValue, length-(nResult+2));
132
 
                         lpszMarker[nResult+cb+2]=_T('"');
133
 
                     }
134
 
                     nResult+=cb+3;
135
 
@@ -1827,13 +1852,13 @@
136
 
                         if (lpszMarker)
137
 
                         {
138
 
                             charmemset(&lpszMarker[nResult],INDENTCHAR,sizeof(XMLCHAR)*(nFormat + 1));
139
 
-                            toXMLStringUnSafe(&lpszMarker[nResult+nFormat+1],pChild);
140
 
+                            toXMLStringUnSafe(&lpszMarker[nResult+nFormat+1],pChild, length - (nResult + nFormat + 1));
141
 
                             lpszMarker[nResult+nFormat+1+cb]=_T('\n');
142
 
                         }
143
 
                         nResult+=cb+nFormat+2;
144
 
                     } else
145
 
                     {
146
 
-                        if (lpszMarker) toXMLStringUnSafe(&lpszMarker[nResult], pChild);
147
 
+                        if (lpszMarker) toXMLStringUnSafe(&lpszMarker[nResult], pChild, length - nResult);
148
 
                         nResult += cb;
149
 
                     }
150
 
                 }
151
 
@@ -1853,13 +1878,13 @@
152
 
                         if (lpszMarker)
153
 
                         {
154
 
                             charmemset(&lpszMarker[nResult], INDENTCHAR, sizeof(XMLCHAR)*(nFormat + 1));
155
 
-                            _tcscpy(&lpszMarker[nResult+nFormat+1], pChild->lpszOpenTag);
156
 
+                            _tcscpy(&lpszMarker[nResult+nFormat+1], pChild->lpszOpenTag, length - (nResult + nFormat + 1));
157
 
                         }
158
 
                         nResult+=cb+nFormat+1;
159
 
                     }
160
 
                     else
161
 
                     {
162
 
-                        if (lpszMarker)_tcscpy(&lpszMarker[nResult], pChild->lpszOpenTag);
163
 
+                        if (lpszMarker)_tcscpy(&lpszMarker[nResult], pChild->lpszOpenTag, length - nResult);
164
 
                         nResult += cb;
165
 
                     }
166
 
                 }
167
 
@@ -1868,7 +1893,7 @@
168
 
                 cb = (int)LENSTR(pChild->lpszValue);
169
 
                 if (cb)
170
 
                 {
171
 
-                    if (lpszMarker) _tcscpy(&lpszMarker[nResult], pChild->lpszValue);
172
 
+                    if (lpszMarker) _tcscpy(&lpszMarker[nResult], pChild->lpszValue, length - nResult);
173
 
                     nResult += cb;
174
 
                 }
175
 
 
176
 
@@ -1876,7 +1901,7 @@
177
 
                 cb = (int)LENSTR(pChild->lpszCloseTag);
178
 
                 if (cb)
179
 
                 {
180
 
-                    if (lpszMarker) _tcscpy(&lpszMarker[nResult], pChild->lpszCloseTag);
181
 
+                    if (lpszMarker) _tcscpy(&lpszMarker[nResult], pChild->lpszCloseTag, length - nResult);
182
 
                     nResult += cb;
183
 
                 }
184
 
 
185
 
@@ -1892,7 +1917,7 @@
186
 
         case eNodeChild:
187
 
             {
188
 
                 // Recursively add child nodes
189
 
-                nResult += CreateXMLStringR(pEntry->pChild[j>>2].d, lpszMarker ? lpszMarker + nResult : 0, nChildFormat);
190
 
+                nResult += CreateXMLStringR(pEntry->pChild[j>>2].d, lpszMarker ? lpszMarker + nResult : 0, lpszMarker ? length - nResult : 0, nChildFormat);
191
 
                 break;
192
 
             }
193
 
         default: break;
194
 
@@ -1917,18 +1942,18 @@
195
 
                     }
196
 
                 }
197
 
 
198
 
-                _tcscpy(&lpszMarker[nResult], _T("</"));
199
 
+                _tcscpy(&lpszMarker[nResult], _T("</"), length - nResult);
200
 
                 nResult += 2;
201
 
-                _tcscpy(&lpszMarker[nResult], pEntry->lpszName);
202
 
+                _tcscpy(&lpszMarker[nResult], pEntry->lpszName, length - nResult);
203
 
                 nResult += cbElement;
204
 
 
205
 
                 if (nFormat == -1)
206
 
                 {
207
 
-                    _tcscpy(&lpszMarker[nResult], _T(">"));
208
 
+                    _tcscpy(&lpszMarker[nResult], _T(">"), length - nResult);
209
 
                     nResult++;
210
 
                 } else
211
 
                 {
212
 
-                    _tcscpy(&lpszMarker[nResult], _T(">\n"));
213
 
+                    _tcscpy(&lpszMarker[nResult], _T(">\n"), length - nResult);
214
 
                     nResult+=2;
215
 
                 }
216
 
             } else
217
 
@@ -1945,12 +1970,12 @@
218
 
             {
219
 
                 if (nFormat == -1)
220
 
                 {
221
 
-                    _tcscpy(&lpszMarker[nResult], _T("/>"));
222
 
+                    _tcscpy(&lpszMarker[nResult], _T("/>"), length - nResult);
223
 
                     nResult += 2;
224
 
                 }
225
 
                 else
226
 
                 {
227
 
-                    _tcscpy(&lpszMarker[nResult], _T("/>\n"));
228
 
+                    _tcscpy(&lpszMarker[nResult], _T("/>\n"), length - nResult);
229
 
                     nResult += 3;
230
 
                 }
231
 
             }
232
 
@@ -1985,12 +2010,12 @@
233
 
     // Recursively Calculate the size of the XML string
234
 
     if (!dropWhiteSpace) nFormat=0;
235
 
     nFormat = nFormat ? 0 : -1;
236
 
-    cbStr = CreateXMLStringR(d, 0, nFormat);
237
 
+    cbStr = CreateXMLStringR(d, 0, 0, nFormat);
238
 
     assert(cbStr);
239
 
     // Alllocate memory for the XML string + the NULL terminator and
240
 
     // create the recursively XML string.
241
 
     lpszResult=(XMLSTR)malloc((cbStr+1)*sizeof(XMLCHAR));
242
 
-    CreateXMLStringR(d, lpszResult, nFormat);
243
 
+    CreateXMLStringR(d, lpszResult, cbStr+1, nFormat);
244
 
     if (pnSize) *pnSize = cbStr;
245
 
     return lpszResult;
246
 
 }
247
 
Index: libmsn-4.0~beta4/msn/xmlParser.h
248
 
===================================================================
249
 
--- libmsn-4.0~beta4.orig/msn/xmlParser.h       2009-03-27 16:18:12.000000000 -0700
250
 
+++ libmsn-4.0~beta4/msn/xmlParser.h    2009-03-27 16:18:43.000000000 -0700
251
 
@@ -447,7 +447,7 @@
252
 
       XMLCSTR addText_priv(int,XMLSTR,int);
253
 
       XMLClear *addClear_priv(int,XMLSTR,XMLCSTR,XMLCSTR,int);
254
 
       static inline int findPosition(XMLNodeData *d, int index, XMLElementType xtype);
255
 
-      static int CreateXMLStringR(XMLNodeData *pEntry, XMLSTR lpszMarker, int nFormat);
256
 
+      static int CreateXMLStringR(XMLNodeData *pEntry, XMLSTR lpszMarker, int length, int nFormat);
257
 
       static int removeOrderElement(XMLNodeData *d, XMLElementType t, int index);
258
 
       static void exactMemory(XMLNodeData *d);
259
 
       static int detachFromParent(XMLNodeData *d);