Bug#330894: Inkscape SVG parser buffer overflows

Sun, 20 Nov 2005 12:03:04 -0800 

On Sun, 2005-11-20 at 15:54 +0100, Martin Schulze wrote:
> Moritz Muehlenhoff wrote:
> > | October 9, 2005
> > |
> > | Mentalguy has released new point releases of the past two  versions of 
> > Inkscape
> > | to correct two issues with arbitrary  code execution when  opening 
> > malicious 
> > | files. There  are no  known exploits  for this  issue, but  if you  use 
> > Inkscape
> > | on a production machine in a manner that invokes files from arbitrary 
> > sources,
> > | you may wish to upgrade.
> 
> Hi,
> 
> could you provide some assistance?  The above note about arbitrary
> code execution may originate in our Bug#330894 <bugs.debian.org/330894>.
> I'd like to see the correction for this/these particular issue(s) so
> that Debian can correct the older version of Inkscape in its stable
> release, where no new upstream versions are installed.

Yes, I believe that's the bug that prompted the new point release.  I've
attached the patch for the 0.42 branch.

It's worth noting that (except for incrementing the version number in
the about dialog, etc, and some changes to the distributed Windows
makefiles) this is the only difference between 0.42.2 and 0.42.3.

I believe the patch can also be applied to the 0.41 line as well (the
same change is present in 0.41.1).  I don't believe it's relevent to
0.40.

-mental

Index: src/style.cpp
===================================================================
RCS file: /cvsroot/inkscape/inkscape/src/style.cpp,v
retrieving revision 1.110
retrieving revision 1.110.2.1
diff -u -3 -r1.110 -r1.110.2.1
--- src/style.cpp	14 Jul 2005 01:48:57 -0000	1.110
+++ src/style.cpp	3 Oct 2005 05:40:12 -0000	1.110.2.1
@@ -28,6 +28,7 @@
 #include <stdlib.h>
 #endif
 
+#include <glib/gmem.h>
 #include <gtk/gtksignal.h>
 #include "libcroco/cr-prop-list.h"
 #include "libcroco/cr-sel-eng.h"
@@ -1175,7 +1176,6 @@
      * string: should we ignore the whole string or just from the first error onwards?) */
 
     gchar property [BMAX];
-    gchar value [BMAX];
 
     for (;;) {
 
@@ -1235,9 +1235,11 @@
         if (idx > 0) {
             if (value_begin < value_end) {
                 size_t const value_len = value_end - value_begin;
+                char *value = (char *) g_malloc(value_len + 1);
                 memcpy(value, value_begin, value_len);
                 value[value_len] = '\0';
                 sp_style_merge_property(style, idx, value);
+                g_free(value);
             } else {
                 /* TODO: Don't use g_warning for SVG errors. */
                 g_warning("No style property value at: %s", property_begin);

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to