From c551c023eff26aca406523d6d0450cd9a86302f7 Mon Sep 17 00:00:00 2001 From: Piotr Kubowicz Date: Sat, 25 Jan 2020 13:44:41 +0100 Subject: [PATCH] Fix buffer overflow in TexOpen Also add missing indentation and braces that could lead to misunderstanding control statements. Closes #60 --- ChangeLog | 2 ++ detex.l | 25 +++++++++++++------------ 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0bdcbbd..c20cbc2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -192,3 +192,5 @@ Fixed man page on macOS (#47). Thanks to FX Coudert. Added -v option for showing version. (Version 2.8.6) -- UNRELEASED + +Fixed buffer overflow (CVE-2019-19601 #60). diff --git a/detex.l b/detex.l index 4b638f9..049c26a 100644 --- a/detex.l +++ b/detex.l @@ -898,24 +898,25 @@ TexOpen(char *sbFile) #else if (*sbFile == '/') { /* absolute path */ #endif - (void)sprintf(sbFullPath, "%s", sbFile); - iPath = csbInputPaths; /* only check once */ - } else - (void)sprintf(sbFullPath, "%s/%s", rgsbInputPaths[iPath], sbFile); + (void)snprintf(sbFullPath, PATH_MAX-1, "%s", sbFile); + iPath = csbInputPaths; /* only check once */ + } else { + (void)snprintf(sbFullPath, PATH_MAX-1, "%s/%s", rgsbInputPaths[iPath], sbFile); + } #ifdef OS2 pch = sbFullPath; - while (pch = strchr(pch, '\\')) - *pch = '/'; + while (pch = strchr(pch, '\\')) { + *pch = '/'; + } #endif /* If sbFile ends in .tex then it must be there */ if ((pch = strrchr(sbFullPath, '.')) != NULL - && (strcmp(pch, ".tex") == 0)) - { - if ((fp = fopen(sbFullPath, "r")) != NULL) - return(fp); - else - continue; + && (strcmp(pch, ".tex") == 0)) { + if ((fp = fopen(sbFullPath, "r")) != NULL) + return(fp); + else + continue; } /* if . then try to open it. the '.' represents */