forge/ayaports
1
0
Fork 0
Code Issues 22 Pull requests 11 Projects Releases Packages Wiki Activity Actions
ayaports/backports/openscad/0001-fix-CVE-2022-0496.patch

76 lines
3.7 KiB
Diff
Raw Permalink Blame History

From 00a4692989c4e2f191525f73f24ad8727bacdf41 Mon Sep 17 00:00:00 2001
From: Torsten Paul <Torsten.Paul@gmx.de>
Date: Sat, 5 Feb 2022 18:38:31 +0100
Subject: [PATCH] CVE-2022-0496 Out-of-bounds memory access in DXF loader.
Public issue:
https://github.com/openscad/openscad/issues/4037
Fix in master branch:
https://github.com/openscad/openscad/pull/4090
---
src/dxfdata.cc | 27 +++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/src/dxfdata.cc b/src/dxfdata.cc
index 2bb7236746..aa6b6f3976 100644
--- a/src/dxfdata.cc
+++ b/src/dxfdata.cc
@@ -441,6 +441,11 @@ DxfData::DxfData(double fn, double fs, double fa,
auto lv = grid.data(this->points[lines[idx].idx[j]][0], this->points[lines[idx].idx[j]][1]);
for (size_t ki = 0; ki < lv.size(); ++ki) {
int k = lv.at(ki);
+ if (k < 0 || k >= lines.size()) {
+ LOG(message_group::Warning,Location::NONE,"",
+ "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
+ continue;
+ }
if (k == idx || lines[k].disabled) continue;
goto next_open_path_j;
}
@@ -466,13 +471,20 @@ DxfData::DxfData(double fn, double fs, double fa,
auto lv = grid.data(ref_point[0], ref_point[1]);
for (size_t ki = 0; ki < lv.size(); ++ki) {
int k = lv.at(ki);
+ if (k < 0 || k >= lines.size()) {
+ LOG(message_group::Warning,Location::NONE,"",
+ "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
+ continue;
+ }
if (lines[k].disabled) continue;
- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) {
+ auto idk0 = lines[k].idx[0]; // make it easier to read and debug
+ auto idk1 = lines[k].idx[1];
+ if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) {
current_line = k;
current_point = 0;
goto found_next_line_in_open_path;
}
- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) {
+ if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) {
current_line = k;
current_point = 1;
goto found_next_line_in_open_path;
@@ -501,13 +513,20 @@ DxfData::DxfData(double fn, double fs, double fa,
auto lv = grid.data(ref_point[0], ref_point[1]);
for (size_t ki = 0; ki < lv.size(); ++ki) {
int k = lv.at(ki);
+ if (k < 0 || k >= lines.size()) {
+ LOG(message_group::Warning,Location::NONE,"",
+ "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
+ continue;
+ }
if (lines[k].disabled) continue;
- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) {
+ auto idk0 = lines[k].idx[0]; // make it easier to read and debug
+ auto idk1 = lines[k].idx[1];
+ if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) {
current_line = k;
current_point = 0;
goto found_next_line_in_closed_path;
}
- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) {
+ if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) {
current_line = k;
current_point = 1;
goto found_next_line_in_closed_path;
Reference in a new issue View git blame Copy permalink