Fix buffer overflow in TexOpen

Also add missing indentation and braces that could lead to misunderstanding control statements. Closes #60
pkubowicz · Jan 25, 2020 · c551c02 · c551c02
1 parent b5f4168
commit c551c02
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 12 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -192,3 +192,5 @@ Fixed man page on macOS (#47). Thanks to FX Coudert.
 Added -v option for showing version.
 
 (Version 2.8.6) -- UNRELEASED
+
+Fixed buffer overflow (CVE-2019-19601 #60).
diff --git a/detex.l b/detex.l
@@ -898,24 +898,25 @@ TexOpen(char *sbFile)
 #else
 	    if (*sbFile == '/') {	/* absolute path */
 #endif
-		(void)sprintf(sbFullPath, "%s", sbFile);
-		iPath = csbInputPaths;	/* only check once */
-	    } else
-		(void)sprintf(sbFullPath, "%s/%s", rgsbInputPaths[iPath], sbFile);
+			(void)snprintf(sbFullPath, PATH_MAX-1, "%s", sbFile);
+			iPath = csbInputPaths;	/* only check once */
+	    } else {
+			(void)snprintf(sbFullPath, PATH_MAX-1, "%s/%s", rgsbInputPaths[iPath], sbFile);
+		}
 #ifdef OS2
 	    pch = sbFullPath;
-	    while (pch = strchr(pch, '\\'))
-		*pch = '/';
+	    while (pch = strchr(pch, '\\')) {
+			*pch = '/';
+		}
 #endif
 
 	    /* If sbFile ends in .tex then it must be there */
 	    if ((pch = strrchr(sbFullPath, '.')) != NULL
-			&& (strcmp(pch, ".tex") == 0))
-	    {
-		if ((fp = fopen(sbFullPath, "r")) != NULL)
-		    return(fp);
-		else
-		    continue;
+			&& (strcmp(pch, ".tex") == 0)) {
+			if ((fp = fopen(sbFullPath, "r")) != NULL)
+				return(fp);
+			else
+				continue;
 	    }
 
 	    /* if .<ext> then try to open it.  the '.' represents   */
Original file line number	Diff line number	Diff line change
Expand Up		@@ -192,3 +192,5 @@ Fixed man page on macOS (#47). Thanks to FX Coudert.
		Added -v option for showing version.

		(Version 2.8.6) -- UNRELEASED

		Fixed buffer overflow (CVE-2019-19601 #60).