resolveSubtable: Fix buffer overflow parsing a malformed table

The subtable's name can theoretically be up to MAXSTRING characters long. The base name is then copied into a buffer, and the subtable's name is appended, so we should allocate more than MAXSTRING bytes for the buffer. Fixes CVE-2017-13739, CVE-2017-13740, and CVE-2017-13742.
liblouis · Aug 30, 2017 · d8cfdf1 · d8cfdf1
1 parent edf8ee0
commit d8cfdf1
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
@@ -4980,7 +4980,7 @@ resolveSubtable (const char *table, const char *base, const char *searchPath)
 
   if (table == NULL || table[0] == '\0')
     return NULL;
-  tableFile = (char *) malloc (MAXSTRING * sizeof(char));
+  tableFile = (char *) malloc (MAXSTRING * sizeof(char) * 2);
 
   //
   // First try to resolve against base