Sorry, the previous patch was wrong, here is the second patch.
BTW, the security issue coms from fixed length string buffer
(CHA_INPUT_SIZE = 8192) and input string will be longer than 8192
bytes in some situation.
The patch is for chasen_sparse_str() function, and the function works
almost same as chasen_fparse_str(). The 2 function differ with input
source (string or file pointer).
diff --git a/lib/chalib.c b/lib/chalib.c
index 5d79e13..cddf51b 100644
--- a/lib/chalib.c
+++ b/lib/chalib.c
@@ -306,9 +306,14 @@ chasen_sparse_main(char *input, FILE *output)
*/
while (*input) {
int c = 0, len, cursor;
- if ((crlf = strpbrk(input, "\r\n")) == NULL)
+ if ((crlf = strpbrk(input, "\r\n")) == NULL) {
len = strlen(input);
- else {
+ if (len >= CHA_INPUT_SIZE) {
+ len = CHA_INPUT_SIZE - 1;
+ crlf = input + CHA_INPUT_SIZE - 2;
+ c = 0;
+ }
+ } else {
len = crlf - input;
c = *crlf;
*crlf = '\0';
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
