Sophie: ming-0.4.5-14.1.mga6 src

ming-0.4.5-14.1.mga6.src.rpm

From 059933c07418ed6c6c272074d8065b02e585407a Mon Sep 17 00:00:00 2001
From: Balint Reczey <balint@balintreczey.hu>
Date: Mon, 2 Jan 2017 21:28:17 +0100
Subject: [PATCH 3/8] Exit immediately when unexpected EOF is by fgetc() in
 utility programs

Fixes CVE-2016-9831

Fixes: #58
---
 util/listfdb.c     | 24 +++++++++++++++++++++++-
 util/listjpeg.c    | 13 ++++++++-----
 util/old/listswf.c |  5 +++++
 util/old/read.c    | 32 +++++++++++++++++++++++++++++---
 util/read.c        | 32 +++++++++++++++++++++++++++++---
 5 files changed, 94 insertions(+), 12 deletions(-)

--- a/util/listfdb.c
+++ b/util/listfdb.c
@@ -71,12 +71,24 @@
     {
       ret <<= 8;
       ret += fgetc(f);
+      if (feof(f))
+      {
+        fprintf(stderr, "truncated file\n");
+        exit(-1);
+      }
+
       ++fileOffset;
       number -= 8;
     }
 
     ++fileOffset;
     buffer = fgetc(f);
+    if (feof(f))
+    {
+      fprintf(stderr, "truncated file\n");
+      exit(-1);
+    }
+
 
     if(number>0)
     {
@@ -108,9 +120,19 @@
 
 int readUInt8(FILE *f)
 {
+  int tmp_char = fgetc(f);
+  // the rest of the code does not handle errors and use EOF as a valid unsigned char value
+  if (tmp_char == EOF)
+  {
+    // exit here instead of crashing elswhere
+    fprintf(stderr, "truncated file\n");
+    exit(-1);
+  }
+
   bufbits = 0;
   ++fileOffset;
-  return fgetc(f);
+
+  return tmp_char;
 }
 
 int readSInt8(FILE *f)
--- a/util/listjpeg.c
+++ b/util/listjpeg.c
@@ -52,11 +52,14 @@
 
     if(c != JPEG_SOI && c != JPEG_EOI)
     {
-      l = (fgetc(f)<<8) + fgetc(f);
-      printf("%i bytes\n", l);
+      int tmp_char = fgetc(f);
+      if (!feof(f)) {
+        l = (tmp_char << 8) + fgetc(f);
+        printf("%i bytes\n", l);
 
-      for(l-=2; l>0; --l)
-	fgetc(f);
+        for(l-=2; l>0; --l)
+          fgetc(f);
+      }
     }
   }
 }
--- a/util/read.c
+++ b/util/read.c
@@ -23,6 +23,7 @@
 int readBits(FILE *f, int number)
 {
   int ret = buffer;
+  int tmp_char;
 
   if(number == bufbits)
   {
@@ -37,14 +38,30 @@
 
     while(number>8)
     {
+      tmp_char = fgetc(f);
+      if (tmp_char == EOF)
+      {
+        // exit here instead of crashing elswhere
+        fprintf(stderr, "truncated file\n");
+        exit(-1);
+      }
+
       ret <<= 8;
-      ret += fgetc(f);
+      ret += tmp_char;
       ++fileOffset;
       number -= 8;
     }
 
     ++fileOffset;
-    buffer = fgetc(f);
+    tmp_char = fgetc(f);
+    if (tmp_char == EOF)
+    {
+      // exit here instead of crashing elswhere
+      fprintf(stderr, "truncated file\n");
+      exit(-1);
+    }
+
+    buffer = tmp_char;
 
     if(number>0)
     {
@@ -88,9 +105,18 @@
 
 int readUInt8(FILE *f)
 {
+  int tmp_char = fgetc(f);
+  // the rest of the code does not handle errors and use EOF as a valid unsigned char value
+  if (tmp_char == EOF)
+  {
+    // exit here instead of crashing elswhere
+    fprintf(stderr, "truncated file\n");
+    exit(-1);
+  }
+
   bufbits = 0;
   ++fileOffset;
-  return fgetc(f);
+  return tmp_char;
 }
 
 int readSInt8(FILE *f)