Package: xjdic
Version: 24-9
Severity: normal
Tags: upstream patch
[ Although buffer overflows are often regarded as security bugs, I'm
filing this bug with normal severity, on the advice of the security
team. ]
There are several possible buffer overflows throughout the xjdic code
(at least in the client). The easiest one to trigger is by reading from
/dev/null:
$ xjdic_sa < /dev/null > /dev/null
*** buffer overflow detected ***: /usr/bin/xjdic_sa terminated
[...]
This is due to xjdic usually not checking getchar() for EOF (if not
storing its return value outright in an unsigned char), thus appending
it to its output buffer in an infinite loop.
The one that prompted me to file this bug report occurs when reading a
romaji string of 10 kana or more: simply typing "@aaaaaaaaaa" will crash
the client. (Only romaji is affected; inputting kana directly works
fine.) This is due to tempout[] being woefully short at 80 bytes; I'm
attaching a patch that pushes that limit far enough for any EDICT entry.
(This isn't an actual fix; the client will still crash, only it will
take an unusually long input string for this to happen.)
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.16.0-4-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
>From 9b78d4ecf5a589a7bcd1d22da6b952df99e2be88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Bri=C3=A8re?= <fbri...@fbriere.net>
Date: Tue, 19 May 2015 19:04:46 -0400
Subject: [PATCH] Allocate enough space for romaji input strings of up to 50
kana
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Various buffer overflows will occur once a romaji input string goes over
a certain length. This patch does not actually fix the problem, but
merely pushes that limit beyond 50 kana, which is the length of the
largest string[1] found in EDICT so far.
[1] プログラムせいぎょしきおよびキーボードせいぎょしきのアドレスしていかのうなきおくいきをもつけいさんき
---
xjdfrontend.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xjdfrontend.c b/xjdfrontend.c
index 92ec03d..800afe1 100644
--- a/xjdfrontend.c
+++ b/xjdfrontend.c
@@ -98,7 +98,7 @@ int extlen,extjdxlen;
unsigned char kmodes[2][10] = {"ON","OFF"};
unsigned char kmodes_r[2][10] = {"OFF","ON"};
unsigned long chline,chpos,it;
-unsigned char strfilt[10],tempout[80];
+unsigned char strfilt[10],tempout[256];
unsigned char KSname[50] = {"kanjstroke"};
unsigned char RKname[50] = {"radkfile"};
unsigned char Rname[50] = {"radicals.tm"};
@@ -115,7 +115,7 @@ int jiver = 14; /*The last time the index structure changed was Version1.4*/
unsigned char sver[] = {SVER};
unsigned char fbuff[512],KLine[KFBUFFSIZE],karray[KANJARRAYSIZE][5];
unsigned char LogLine[200];
-unsigned char ksch[50],ktarg[50];
+unsigned char ksch[128],ktarg[128];
/* The following Help table has "~" to force spaces */
unsigned char Help[40][81] = {
"\n~~~~~~~~~~~~~~~~~~XJDIC USAGE SUMMARY ",
--
2.1.4
