Fix yet another buffer overflow in the braille table parser

Reported by Henri Salo Fixes #592
liblouis · Jun 4, 2018 · fb2bfce · fb2bfce
1 parent d4fc803
commit fb2bfce
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/NEWS b/NEWS
@@ -20,6 +20,8 @@ issues]].
 - Fix a memory leak in default table resolver thanks to Timothy Lee.
 - Fix an array out of bounds error which caused a crash on i386 thanks
   to Samuel Thibault.
+- Fix numerous stack-based buffer overflow in table parsing thanks
+  that were reported by Henri Salo thanks to Christian Egli.
 
 ** Braille table improvements
 - Fix some forward- and back-translation errors in Unified French Grade

diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
@@ -4557,16 +4557,19 @@ includeFile(FileInfo *nested, CharsString *includedFile,
 	int rv;
 	for (k = 0; k < includedFile->length; k++)
 		includeThis[k] = (char)includedFile->chars[k];
+	if (k >= MAXSTRING) {
+		compileError(nested, "Include statement too long: 'include %s'", includeThis);
+		return 0;
+	}
 	includeThis[k] = 0;
 	tableFiles = _lou_resolveTable(includeThis, nested->fileName);
 	if (tableFiles == NULL) {
 		errorCount++;
 		return 0;
 	}
 	if (tableFiles[1] != NULL) {
-		errorCount++;
 		free_tablefiles(tableFiles);
-		_lou_logMessage(LOG_ERROR,
+		compileError(nested,
 				"Table list not supported in include statement: 'include %s'",
 				includeThis);
 		return 0;