Fix another buffer overflow in table parsing reported by Henri Salo

Fixes #575 and CVE-2018-11440
liblouis · May 30, 2018 · 4417bad · 4417bad
1 parent 53b839f
commit 4417bad
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/NEWS b/NEWS
@@ -11,8 +11,9 @@ issues]].
 - Add =maxOutputLength= option in YAML tests.
 
 ** Bug fixes
-- Fix a buffer overflow in table parsing thanks to Samuel Thibault.
-  Fixes CVE-2018-11410.
+- Fix a bunch of buffer overflow errors in table parsing thanks to
+  Samuel Thibault and Christian Egli (CVE-2018-11410 and
+  CVE-2018-11440).
 - Fix input-output mapping of context rules thanks to Bert Frees.
 - Fix back tracking with all caps words thanks to Bert Frees.
 - Fix context rules with lookback thanks to Bert Frees.

diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
@@ -1138,6 +1138,10 @@ parseChars(FileInfo *nested, CharsString *result, CharsString *token) {
 		utf32 = ch & (0XFF - first0Bit[numBytes]);
 		for (k = 0; k < numBytes; k++) {
 			if (in >= MAXSTRING) break;
+			if (out >= MAXSTRING) {
+				result->length = lastOutSize;
+				return 1;
+			}
 			if (token->chars[in] < 128 || (token->chars[in] & 0x0040)) {
 				compileWarning(nested, "invalid UTF-8. Assuming Latin-1.");
 				result->chars[out++] = token->chars[lastIn];