aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/lib/X11/imLcPrs.c
diff options
context:
space:
mode:
Diffstat (limited to 'nx-X11/lib/X11/imLcPrs.c')
-rw-r--r--nx-X11/lib/X11/imLcPrs.c73
1 files changed, 57 insertions, 16 deletions
diff --git a/nx-X11/lib/X11/imLcPrs.c b/nx-X11/lib/X11/imLcPrs.c
index 4dbcbbed4..ad65da694 100644
--- a/nx-X11/lib/X11/imLcPrs.c
+++ b/nx-X11/lib/X11/imLcPrs.c
@@ -41,6 +41,8 @@ OR PERFORMANCE OF THIS SOFTWARE.
#include "Ximint.h"
#include <sys/stat.h>
#include <stdio.h>
+#include <limits.h>
+#include "pathmax.h"
#define XLC_BUFSIZE 256
@@ -56,6 +58,8 @@ extern int _Xmbstoutf8(
int len
);
+static void parsestringfile(FILE *fp, Xim im, int depth);
+
/*
* Parsing File Format:
*
@@ -304,9 +308,9 @@ static char*
TransFileName(Xim im, char *name)
{
char *home = NULL, *lcCompose = NULL;
- char dir[XLC_BUFSIZE];
- char *i = name, *ret, *j;
- int l = 0;
+ char dir[XLC_BUFSIZE] = "";
+ char *i = name, *ret = NULL, *j;
+ size_t l = 0;
while (*i) {
if (*i == '%') {
@@ -316,29 +320,51 @@ TransFileName(Xim im, char *name)
l++;
break;
case 'H':
- home = getenv("HOME");
- if (home)
- l += strlen(home);
+ if (home == NULL)
+ home = getenv("HOME");
+ if (home) {
+ size_t Hsize = strlen(home);
+ if (Hsize > PATH_MAX)
+ /* your home directory length is ridiculous */
+ goto end;
+ l += Hsize;
+ }
break;
case 'L':
- lcCompose = _XlcFileName(im->core.lcd, COMPOSE_FILE);
- if (lcCompose)
- l += strlen(lcCompose);
+ if (lcCompose == NULL)
+ lcCompose = _XlcFileName(im->core.lcd, COMPOSE_FILE);
+ if (lcCompose) {
+ size_t Lsize = strlen(lcCompose);
+ if (Lsize > PATH_MAX)
+ /* your compose pathname length is ridiculous */
+ goto end;
+ l += Lsize;
+ }
break;
case 'S':
- xlocaledir(dir, XLC_BUFSIZE);
- l += strlen(dir);
+ if (dir[0] == '\0')
+ xlocaledir(dir, XLC_BUFSIZE);
+ if (dir[0]) {
+ size_t Ssize = strlen(dir);
+ if (Ssize > PATH_MAX)
+ /* your locale directory path length is ridiculous */
+ goto end;
+ l += Ssize;
+ }
break;
}
} else {
l++;
}
i++;
+ if (l > PATH_MAX)
+ /* your expanded path length is ridiculous */
+ goto end;
}
j = ret = Xmalloc(l+1);
if (ret == NULL)
- return ret;
+ goto end;
i = name;
while (*i) {
if (*i == '%') {
@@ -357,7 +383,6 @@ TransFileName(Xim im, char *name)
if (lcCompose) {
strcpy(j, lcCompose);
j += strlen(lcCompose);
- Xfree(lcCompose);
}
break;
case 'S':
@@ -371,6 +396,8 @@ TransFileName(Xim im, char *name)
}
}
*j = '\0';
+end:
+ Xfree(lcCompose);
return ret;
}
@@ -422,7 +449,8 @@ static int
parseline(
FILE *fp,
Xim im,
- char* tokenbuf)
+ char* tokenbuf,
+ int depth)
{
int token;
DTModifier modifier_mask;
@@ -469,11 +497,13 @@ parseline(
goto error;
if ((filename = TransFileName(im, tokenbuf)) == NULL)
goto error;
+ if (++depth > 100)
+ goto error;
infp = _XFopenFile(filename, "r");
Xfree(filename);
if (infp == NULL)
goto error;
- _XimParseStringFile(infp, im);
+ parsestringfile(infp, im, depth);
fclose(infp);
return (0);
} else if ((token == KEY) && (strcmp("None", tokenbuf) == 0)) {
@@ -667,17 +697,28 @@ _XimParseStringFile(
FILE *fp,
Xim im)
{
+ parsestringfile(fp, im, 0);
+}
+
+static void
+parsestringfile(
+ FILE *fp,
+ Xim im,
+ int depth)
+{
char tb[8192];
char* tbp;
struct stat st;
if (fstat (fileno (fp), &st) != -1) {
unsigned long size = (unsigned long) st.st_size;
+ if (st.st_size >= INT_MAX)
+ return;
if (size <= sizeof tb) tbp = tb;
else tbp = malloc (size);
if (tbp != NULL) {
- while (parseline(fp, im, tbp) >= 0) {}
+ while (parseline(fp, im, tbp, depth) >= 0) {}
if (tbp != tb) free (tbp);
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-19 21:42:41 +0000