On 2006-09-10 at 14:53:03 +0200, Moritz Muehlenhoff <[EMAIL PROTECTED]> wrote: > Tobias Klauser wrote: > > Thanks for your report. > > > > These vulnerabilities are fixed by the upload of 15.5+cvs20060902-1 > > (which is a CVS snapshot incorporating them). Obviously I was not > > inspecting the upstream changelog good enough so this was not not > > mentioned in the changelog. Sorry! > > > > WRT to cscope in stable I can prepare patches if needed. > > Please go ahead.
Attached is the patch against cscope-15.5-1.1sarge1. It was taken from upstream CVS according to the changelog [1] and adapted to this version. [1] http://sourceforge.net/mailarchive/forum.php?thread_id=30266761&forum_id=33500 I built the package with the patch applied on sarge with pbuilder and there were no problems. Hope that helps, Tobias
--- cscope-15.5/src/build.c
+++ cscope-15.5/src/build.c
@@ -115,7 +115,7 @@
}
/* see if the name list is the same */
for (i = 0; i < count; ++i) {
- if (fscanf(oldrefs, "%s", oldname) != 1 ||
+ if (!fgets(oldname, sizeof(oldname), oldrefs) ||
strnotequal(oldname, names[i])) {
return(NO);
}
@@ -223,7 +223,7 @@
/* if there is an old cross-reference and its current directory matches
*/
/* or this is an unconditional build */
if ((oldrefs = vpfopen(reffile, "rb")) != NULL && unconditional == NO &&
- fscanf(oldrefs, "cscope %d %s", &fileversion, olddir) == 2 &&
+ fscanf(oldrefs, "cscope %d %" PATHLEN_STR "s", &fileversion,
olddir) == 2 &&
(strcmp(olddir, currentdir) == 0 || /* remain compatible */
strcmp(olddir, newdir) == 0)) {
/* get the cross-reference file's modification time */
@@ -292,7 +292,7 @@
/* see if the list of source files is the same and
none have been changed up to the included files */
for (i = 0; i < nsrcfiles; ++i) {
- if (fscanf(oldrefs, "%s", oldname) != 1 ||
+ if (!fgets(oldname, sizeof(oldname), oldrefs) ||
strnotequal(oldname, srcfiles[i]) ||
lstat(srcfiles[i], &statstruct) != 0 ||
statstruct.st_mtime > reftime) {
@@ -301,7 +301,7 @@
}
/* the old cross-reference is up-to-date */
/* so get the list of included files */
- while (i++ < oldnum && fscanf(oldrefs, "%s", oldname) == 1) {
+ while (i++ < oldnum && fgets(oldname, sizeof(oldname),
oldrefs)) {
addsrcfile(oldname);
}
(void) fclose(oldrefs);
--- cscope-15.5/src/command.c
+++ cscope-15.5/src/command.c
@@ -707,7 +707,7 @@
(void) fprintf(script, "ed - <<\\!\n");
*oldfile = '\0';
seekline(1);
- for (i = 0; fscanf(refsfound, "%s%*s%s%*[^\n]", newfile, linenum) == 2;
+ for (i = 0; fscanf(refsfound, "%" PATHLEN_STR "s%*s%" NUMLEN_STR
"s%*[^\n]", newfile, linenum) == 2;
++i) {
/* see if the line is to be changed */
if (change[i] == YES) {
--- cscope-15.5/src/dir.c
+++ cscope-15.5/src/dir.c
@@ -319,7 +319,7 @@
/* Parse whitespace-terminated strings in line: */
point_in_line = line;
- while (sscanf(point_in_line, "%s", path) == 1) {
+ while (sscanf(point_in_line, "%" PATHLEN_STR "s", path)
== 1) {
/* Have to store this length --- inviewpath()
will
* modify path, later! */
length_of_name = strlen(path);
--- cscope-15.5/src/display.c
+++ cscope-15.5/src/display.c
@@ -216,7 +216,7 @@
disprefs < mdisprefs && screenline <= lastdispline;
++disprefs, ++screenline) {
/* read the reference line */
- if (fscanf(refsfound, "%s%s%s %[^\n]", file, function,
+ if (fscanf(refsfound, "%" PATHLEN_STR "s%" PATHLEN_STR
"s%" NUMLEN_STR "s %" TEMPSTRING_LEN_STR "[^\n]", file, function,
linenum, tempstring) < 4) {
break;
}
--- cscope-15.5/src/edit.c
+++ cscope-15.5/src/edit.c
@@ -60,7 +60,7 @@
seekline(i + topline);
/* get the file name and line number */
- if (fscanf(refsfound, "%s%*s%s", file, linenum) == 2) {
+ if (fscanf(refsfound, "%" PATHLEN_STR "s%*s%" NUMLEN_STR "s", file,
linenum) == 2) {
edit(file, linenum); /* edit it */
}
seekline(topline); /* restore the line pointer */
@@ -83,7 +83,7 @@
seekline(1);
/* get each file name and line number */
- while (fscanf(refsfound, "%s%*s%s%*[^\n]", file, linenum) == 2) {
+ while (fscanf(refsfound, "%" PATHLEN_STR "s%*s%" NUMLEN_STR "s%*[^\n]",
file, linenum) == 2) {
edit(file, linenum); /* edit it */
if (editallprompt == YES) {
addstr("Type ^D to stop editing all lines, or any other
character to continue: ");
--- cscope-15.5/src/main.c
+++ cscope-15.5/src/main.c
@@ -103,7 +103,7 @@
char temp2[PATHLEN + 1]; /* temporary file name */
long totalterms; /* total inverted index terms */
BOOL trun_syms; /* truncate symbols to 8 characters */
-char tempstring[8192]; /* use this as a buffer, instead of 'yytext',
+char tempstring[TEMPSTRING_LEN + 1]; /* use this as a buffer, instead of
'yytext',
* which had better be left alone */
char *tmpdir; /* temporary directory */
@@ -247,6 +247,10 @@
switch (c) {
case 'f': /* alternate cross-reference
file */
reffile = s;
+ if (strlen(reffile) > sizeof(path) - 1)
{
+ fprintf(stderr, "cscope:
reffile too long, cannot be > %d characters\n", sizeof(path) - 1);
+ myexit(1);
+ }
(void) strcpy(path, s);
#ifdef SHORT_NAMES_ONLY
/* System V has a 14 character limit */
@@ -489,11 +493,11 @@
|| (names = vpfopen(NAMEFILE, "r")) != NULL) {
/* read any -p option from it */
- while (fscanf(names, "%s", path) == 1 && *path
== '-') {
+ while (fgets(path, sizeof(path), names) != NULL
&& *path == '-') {
i = path[1];
s = path + 2; /* for "-Ipath"
*/
if (*s == '\0') { /* if "-I path"
*/
- (void) fscanf(names, "%s",
path);
+ fgets(path, sizeof(path),
names);
s = path;
}
switch (i) {
@@ -510,7 +514,7 @@
}
else {
for (i = 0; i < nsrcfiles; ++i) {
- if (fscanf(oldrefs, "%s", path) != 1) {
+ if (!fgets(path, sizeof(path), oldrefs)) {
posterr("cscope: cannot read source
file name from file %s\n", reffile);
myexit(1);
}
--- cscope-15.5.orig/src/constants.h
+++ cscope-15.5/src/constants.h
@@ -68,6 +68,7 @@
#define NUMLEN 5 /* line number length */
#define PATHLEN 250 /* file pathname length */
#define PATLEN 250 /* symbol pattern length */
+#define TEMPSTRING_LEN 8191 /* max strlen() of the global temp string */
#define REFFILE "cscope.out" /* cross-reference output file */
#define NAMEFILE "cscope.files" /* default list-of-files file */
#define INVNAME "cscope.in.out" /* inverted index to the database */
@@ -77,6 +78,13 @@
#define STMTMAX 10000 /* maximum source statement length */
+#define STR2(x) #x
+#define STRINGIZE(x) STR2(x)
+#define PATLEN_STR STRINGIZE(PATLEN)
+#define PATHLEN_STR STRINGIZE(PATHLEN)
+#define NUMLEN_STR STRINGIZE(NUMLEN)
+#define TEMPSTRING_LEN_STR STRINGIZE(TEMPSTRING_LEN)
+
/* screen lines */
#define FLDLINE (LINES - FIELDS - 1) /* first input field line */
#define MSGLINE 0 /* message line */
--- cscope-15.5.orig/src/input.c
+++ cscope-15.5/src/input.c
@@ -289,8 +289,8 @@
else { /* get the home directory of the login name */
v = logdir(out);
}
- /* copy the directory name */
- if (v != NULL) {
+ /* copy the directory name if it isn't too big */
+ if (v != NULL && strlen(v) < (lastchar - out)) {
(void) strcpy(out - 1, v);
out += strlen(v) - 1;
}
@@ -313,8 +313,8 @@
}
*s = '\0';
- /* get its value */
- if ((v = getenv(out)) != NULL) {
+ /* get its value, but only it isn't too big */
+ if ((v = getenv(out)) != NULL && strlen(v) < (lastchar
- out)) {
(void) strcpy(out - 1, v);
out += strlen(v) - 1;
}
signature.asc
Description: Digital signature
