[packages/Canna.git] / Canna-multivul.patch

diff -ruN Canna35b2.orig/server/convert.c Canna35b2/server/convert.c
--- Canna35b2.orig/server/convert.c	Mon Dec  2 20:01:34 1996
+++ Canna35b2/server/convert.c	Mon Nov 11 19:59:52 2002
@@ -53,6 +53,8 @@
 #define ACK2 2
 #define ACK3 3
 #define CHECK_ACK_BUF_SIZE	(ACK_BUFSIZE + (SIZEOFLONG * 2) )
+#define IR_INT_MAX 32767
+#define IR_INT_INVAL(x) ((unsigned int)x > IR_INT_MAX)
 
 extern int  errno;
 
@@ -1778,6 +1780,8 @@
 	return( needsize ) ;
 
     req->namelen = (int)L4TOL(buf + SIZE4);
+    if( IR_INT_INVAL(req->namelen) )
+	return( -1 );
    ir_debug( Dmsg(10,"req->namelen =%d\n", req->namelen ); )
 
     if( (needsize = SIZE8 + req->namelen - size) > 0 )
@@ -1785,6 +1789,8 @@
 
     if( req->namelen > 0 ){
 	req->name = buf + SIZE8 ;
+	if( req->name[req->namelen - 1] != 0 )
+	    return( -1 );
     }
    ir_debug( Dmsg(10,"req->namelen =%d\n", req->namelen ); )
    ir_debug( Dmsg(10,"req->name =%s\n", req->name ); )
diff -ruN Canna35b2.orig/server/util.c Canna35b2/server/util.c
--- Canna35b2.orig/server/util.c	Wed Nov  6 19:09:47 1996
+++ Canna35b2/server/util.c	Mon Nov 11 19:59:52 2002
@@ -217,6 +217,19 @@
   return res;
 }
 
+const Ushort *
+ushortmemchr(ws, ch, len)
+const Ushort *ws;
+int ch;
+size_t len;
+{
+  const Ushort *p, *end;
+  for (p = ws, end = ws + len; p < end; ++p)
+      if (*p == (Ushort)ch)
+	  return p;
+  return NULL;
+}
+
 int
 ushortstrcpy(wd, ws)
 Ushort *wd, *ws;
diff -ruN Canna35b2.orig/server/wconvert.c Canna35b2/server/wconvert.c
--- Canna35b2.orig/server/wconvert.c	Mon Nov 11 19:42:07 2002
+++ Canna35b2/server/wconvert.c	Mon Nov 11 19:59:52 2002
@@ -100,6 +100,7 @@
 #endif
 
 extern void DispDebug() ;
+extern const Ushort *ushortmemchr pro((const Ushort *, int, size_t));
 extern int canna_server_hi ;
 extern int canna_server_lo ;
 #ifdef DEBUG
@@ -1322,7 +1323,10 @@
     char *dirname, *dirnamelong = (char *)0;
     int cxnum = Request.type18.context, stat = -1;
     int requestsize = Request.type18.size, retval;
+    size_t datasize = Request.type18.datalen - SIZEOFSHORT * 2;
 
+    if (datasize == 0 || req->data[datasize - 1] != 0)
+      goto protoerr;
     if (validcontext(cxnum, client, wListDictionary)) {
       if (requestsize <= sizeof(local_buffer) ||
 	  (dicnames = malloc(requestsize))) {
@@ -1359,6 +1363,7 @@
       }
     }	
 
+protoerr:
     retval = SendType6Reply(client, wListDictionary, EXTPROTO, stat,
 			    dicnames, namesize(dicnames, stat));
     if (dicnames != (char *)local_buffer) free(dicnames);
@@ -1470,10 +1475,15 @@
     char *dicname, *dirname, *dirnamelong = (char *)0;
     int cxnum = Request.type18.context, stat = BADCONT;
     int dirlen, requestsize = Request.type18.size, retval;
+    size_t datasize = Request.type18.datalen - SIZEOFSHORT * 2;
 
+    if (datasize == 0 || req->data[datasize - 1] != 0)
+      goto protoerr;
     if (validcontext(cxnum, client, wGetWordTextDictionary)) {
 	dirname = req->data ;
 	dirlen = strlen(dirname) + 1 ;
+	if (dirlen == datasize)
+	  goto protoerr;
 	dicname = &(req->data[dirlen]) ;
 	if (dirlen > 1) {
 	  if (!dirname || dirname[0] != ':' ||
@@ -1515,6 +1525,7 @@
 	  free(dirnamelong);
 	}
     }
+protoerr:
     retval = SendType7Reply(client, wGetWordTextDictionary, EXTPROTO,
 			    stat, stat > 0 ? stat + 1 : 0, infobuf);
     if (infobuf != (Ushort *)local_buffer) free((char *)infobuf);
@@ -2296,6 +2307,9 @@
 {
     ir_debug( Dmsg(10, "ProcWideReq1 start!!\n") );
 
+    if (Request.type1.datalen != 0)
+	return( -1 );
+
     return( 0 ) ;
 }
 
@@ -2305,6 +2319,8 @@
 {
     ir_debug( Dmsg(10, "ProcWideReq2 start!!\n") );
 
+    if (Request.type2.datalen != SIZEOFSHORT)
+	return( -1 );
     buf += HEADER_SIZE; Request.type2.context = S2TOS(buf);
     ir_debug( Dmsg(10, "req->context =%d\n", Request.type2.context) );
 
@@ -2317,6 +2333,8 @@
 {
     ir_debug( Dmsg(10, "ProcWideReq3 start!!\n") );
 
+    if (Request.type3.datalen != SIZEOFSHORT * 2)
+	return( -1 );
     buf += HEADER_SIZE; Request.type3.context = S2TOS(buf);
     buf += SIZEOFSHORT; Request.type3.buflen = S2TOS(buf);
     ir_debug( Dmsg(10, "req->context =%d\n", Request.type3.context) );
@@ -2334,12 +2352,18 @@
 
     ir_debug( Dmsg(10, "ProcWideReq4 start!!\n") );
 
+    if (Request.type4.datalen < SIZEOFSHORT * 4)
+	return( -1 );
     buf += HEADER_SIZE; Request.type4.context = S2TOS(buf);
     buf += SIZEOFSHORT; Request.type4.begin = S2TOS(buf);
     buf += SIZEOFSHORT; Request.type4.end = S2TOS(buf);
     buf += SIZEOFSHORT; Request.type4.yomilen = S2TOS(buf);
     Request.type4.yomi = (Ushort *)(buf += SIZEOFSHORT) ;
-    len = Request.type4.datalen - SIZEOFSHORT * 4;
+    len = Request.type4.yomilen + 1;
+    if (Request.type4.datalen != SIZEOFSHORT * (4 + len)
+	    || len == 0
+	    || Request.type4.yomi[len - 1] != 0)
+	return( -1 );
     for (data = Request.type4.yomi, i = 0; i < len; i++, data++)
Commit	Line	Data
e4bc9042 JB	1	diff -ruN Canna35b2.orig/server/convert.c Canna35b2/server/convert.c
	2	--- Canna35b2.orig/server/convert.c Mon Dec 2 20:01:34 1996
	3	+++ Canna35b2/server/convert.c Mon Nov 11 19:59:52 2002
	4	@@ -53,6 +53,8 @@
	5	#define ACK2 2
	6	#define ACK3 3
	7	#define CHECK_ACK_BUF_SIZE (ACK_BUFSIZE + (SIZEOFLONG * 2) )
	8	+#define IR_INT_MAX 32767
	9	+#define IR_INT_INVAL(x) ((unsigned int)x > IR_INT_MAX)
	10
	11	extern int errno;
	12
	13	@@ -1778,6 +1780,8 @@
	14	return( needsize ) ;
	15
	16	req->namelen = (int)L4TOL(buf + SIZE4);
	17	+ if( IR_INT_INVAL(req->namelen) )
	18	+ return( -1 );
	19	ir_debug( Dmsg(10,"req->namelen =%d\n", req->namelen ); )
	20
	21	if( (needsize = SIZE8 + req->namelen - size) > 0 )
	22	@@ -1785,6 +1789,8 @@
	23
	24	if( req->namelen > 0 ){
	25	req->name = buf + SIZE8 ;
	26	+ if( req->name[req->namelen - 1] != 0 )
	27	+ return( -1 );
	28	}
	29	ir_debug( Dmsg(10,"req->namelen =%d\n", req->namelen ); )
	30	ir_debug( Dmsg(10,"req->name =%s\n", req->name ); )
	31	diff -ruN Canna35b2.orig/server/util.c Canna35b2/server/util.c
	32	--- Canna35b2.orig/server/util.c Wed Nov 6 19:09:47 1996
	33	+++ Canna35b2/server/util.c Mon Nov 11 19:59:52 2002
	34	@@ -217,6 +217,19 @@
	35	return res;
	36	}
	37
	38	+const Ushort *
	39	+ushortmemchr(ws, ch, len)
	40	+const Ushort *ws;
	41	+int ch;
	42	+size_t len;
	43	+{
	44	+ const Ushort p, end;
	45	+ for (p = ws, end = ws + len; p < end; ++p)
	46	+ if (*p == (Ushort)ch)
	47	+ return p;
	48	+ return NULL;
	49	+}
	50	+
	51	int
	52	ushortstrcpy(wd, ws)
	53	Ushort wd, ws;
	54	diff -ruN Canna35b2.orig/server/wconvert.c Canna35b2/server/wconvert.c
	55	--- Canna35b2.orig/server/wconvert.c Mon Nov 11 19:42:07 2002
	56	+++ Canna35b2/server/wconvert.c Mon Nov 11 19:59:52 2002
	57	@@ -100,6 +100,7 @@
	58	#endif
	59
	60	extern void DispDebug() ;
	61	+extern const Ushort ushortmemchr pro((const Ushort , int, size_t));
	62	extern int canna_server_hi ;
	63	extern int canna_server_lo ;
	64	#ifdef DEBUG
65	@@ -1322,7 +1323,10 @@
66	char dirname, dirnamelong = (char *)0;
67	int cxnum = Request.type18.context, stat = -1;
68	int requestsize = Request.type18.size, retval;
69	+ size_t datasize = Request.type18.datalen - SIZEOFSHORT * 2;
70
71	+ if (datasize == 0 \|\| req->data[datasize - 1] != 0)
72	+ goto protoerr;
73	if (validcontext(cxnum, client, wListDictionary)) {
74	if (requestsize <= sizeof(local_buffer) \|\|
75	(dicnames = malloc(requestsize))) {
76	@@ -1359,6 +1363,7 @@
77	}
78	}
79
80	+protoerr:
81	retval = SendType6Reply(client, wListDictionary, EXTPROTO, stat,
82	dicnames, namesize(dicnames, stat));
83	if (dicnames != (char *)local_buffer) free(dicnames);
84	@@ -1470,10 +1475,15 @@
85	char dicname, dirname, dirnamelong = (char )0;
86	int cxnum = Request.type18.context, stat = BADCONT;
87	int dirlen, requestsize = Request.type18.size, retval;
88	+ size_t datasize = Request.type18.datalen - SIZEOFSHORT * 2;
89
90	+ if (datasize == 0 \|\| req->data[datasize - 1] != 0)
91	+ goto protoerr;
92	if (validcontext(cxnum, client, wGetWordTextDictionary)) {
93	dirname = req->data ;
94	dirlen = strlen(dirname) + 1 ;
95	+ if (dirlen == datasize)
96	+ goto protoerr;
97	dicname = &(req->data[dirlen]) ;
98	if (dirlen > 1) {
99	if (!dirname \|\| dirname[0] != ':' \|\|
100	@@ -1515,6 +1525,7 @@
101	free(dirnamelong);
102	}
103	}
104	+protoerr:
105	retval = SendType7Reply(client, wGetWordTextDictionary, EXTPROTO,
106	stat, stat > 0 ? stat + 1 : 0, infobuf);
107	if (infobuf != (Ushort )local_buffer) free((char )infobuf);
108	@@ -2296,6 +2307,9 @@
109	{
110	ir_debug( Dmsg(10, "ProcWideReq1 start!!\n") );
111
112	+ if (Request.type1.datalen != 0)
113	+ return( -1 );
114	+
115	return( 0 ) ;
116	}
117
118	@@ -2305,6 +2319,8 @@
119	{
120	ir_debug( Dmsg(10, "ProcWideReq2 start!!\n") );
121
122	+ if (Request.type2.datalen != SIZEOFSHORT)
123	+ return( -1 );
124	buf += HEADER_SIZE; Request.type2.context = S2TOS(buf);
125	ir_debug( Dmsg(10, "req->context =%d\n", Request.type2.context) );
126
127	@@ -2317,6 +2333,8 @@
128	{
129	ir_debug( Dmsg(10, "ProcWideReq3 start!!\n") );
130
131	+ if (Request.type3.datalen != SIZEOFSHORT * 2)
132	+ return( -1 );
133	buf += HEADER_SIZE; Request.type3.context = S2TOS(buf);
134	buf += SIZEOFSHORT; Request.type3.buflen = S2TOS(buf);
135	ir_debug( Dmsg(10, "req->context =%d\n", Request.type3.context) );
136	@@ -2334,12 +2352,18 @@
137
138	ir_debug( Dmsg(10, "ProcWideReq4 start!!\n") );
139
140	+ if (Request.type4.datalen < SIZEOFSHORT * 4)
141	+ return( -1 );
142	buf += HEADER_SIZE; Request.type4.context = S2TOS(buf);
143	buf += SIZEOFSHORT; Request.type4.begin = S2TOS(buf);
144	buf += SIZEOFSHORT; Request.type4.end = S2TOS(buf);
145	buf += SIZEOFSHORT; Request.type4.yomilen = S2TOS(buf);
146	Request.type4.yomi = (Ushort *)(buf += SIZEOFSHORT) ;
147	- len = Request.type4.datalen - SIZEOFSHORT * 4;
148	+ len = Request.type4.yomilen + 1;
149	+ if (Request.type4.datalen != SIZEOFSHORT * (4 + len)
150	+ \|\| len == 0
151	+ \|\| Request.type4.yomi[len - 1] != 0)
152	+ return( -1 );
153	for (data = Request.type4.yomi, i = 0; i < len; i++, data++)
154