Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2022-0496 Out-of-bounds memory access in DXF loader.
Public issue:
#4037

Fix in master branch:
#4090
  • Loading branch information
t-paul committed Feb 5, 2022
1 parent 41f58fe commit 00a4692
Showing 1 changed file with 23 additions and 4 deletions.
27 changes: 23 additions & 4 deletions src/dxfdata.cc
Expand Up @@ -441,6 +441,11 @@ DxfData::DxfData(double fn, double fs, double fa,
auto lv = grid.data(this->points[lines[idx].idx[j]][0], this->points[lines[idx].idx[j]][1]);
for (size_t ki = 0; ki < lv.size(); ++ki) {
int k = lv.at(ki);
if (k < 0 || k >= lines.size()) {
LOG(message_group::Warning,Location::NONE,"",
"Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
continue;
}
if (k == idx || lines[k].disabled) continue;
goto next_open_path_j;
}
Expand All @@ -466,13 +471,20 @@ DxfData::DxfData(double fn, double fs, double fa,
auto lv = grid.data(ref_point[0], ref_point[1]);
for (size_t ki = 0; ki < lv.size(); ++ki) {
int k = lv.at(ki);
if (k < 0 || k >= lines.size()) {
LOG(message_group::Warning,Location::NONE,"",
"Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
continue;
}
if (lines[k].disabled) continue;
if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) {
auto idk0 = lines[k].idx[0]; // make it easier to read and debug
auto idk1 = lines[k].idx[1];
if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) {
current_line = k;
current_point = 0;
goto found_next_line_in_open_path;
}
if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) {
if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) {
current_line = k;
current_point = 1;
goto found_next_line_in_open_path;
Expand Down Expand Up @@ -501,13 +513,20 @@ DxfData::DxfData(double fn, double fs, double fa,
auto lv = grid.data(ref_point[0], ref_point[1]);
for (size_t ki = 0; ki < lv.size(); ++ki) {
int k = lv.at(ki);
if (k < 0 || k >= lines.size()) {
LOG(message_group::Warning,Location::NONE,"",
"Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
continue;
}
if (lines[k].disabled) continue;
if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) {
auto idk0 = lines[k].idx[0]; // make it easier to read and debug
auto idk1 = lines[k].idx[1];
if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) {
current_line = k;
current_point = 0;
goto found_next_line_in_closed_path;
}
if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) {
if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) {
current_line = k;
current_point = 1;
goto found_next_line_in_closed_path;
Expand Down

0 comments on commit 00a4692

Please sign in to comment.