45 lines
1.1 KiB
Diff
45 lines
1.1 KiB
Diff
From ab5ee87cbbe1b94a45d5c7974b321e2ee78d1238 Mon Sep 17 00:00:00 2001
|
|
From: zhoupengcheng <zhoupengcheng11@huawei.com>
|
|
Date: Sat, 26 Nov 2022 18:27:48 +0800
|
|
Subject: [PATCH] fix CVE-2021-33642
|
|
|
|
next_inline() return EOF cause infinite loop in more_curly(),
|
|
Add EOF case in more_curly(), don't allow multiple line.
|
|
---
|
|
reader.c | 10 +++++++++-
|
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/reader.c b/reader.c
|
|
index 2a1dfe5..6a9bb7c 100644
|
|
--- a/reader.c
|
|
+++ b/reader.c
|
|
@@ -1030,8 +1030,10 @@ more_curly(void)
|
|
|
|
int result = 0;
|
|
int finish = 0;
|
|
+ int c;
|
|
FILE *f = input_file;
|
|
long int old_pos = ftell(f);
|
|
+ long int new_pos = old_pos;
|
|
int save_linesize = linesize;
|
|
char *save_line = TMALLOC(char, linesize);
|
|
NO_SPACE(save_line);
|
|
@@ -1039,7 +1041,13 @@ more_curly(void)
|
|
memcpy(save_line, line, linesize);
|
|
do
|
|
{
|
|
- switch (next_inline())
|
|
+ c = next_inline();
|
|
+ // Don't allow multiple line, so we use file position to check
|
|
+ // Only get_line() will move file postion forward
|
|
+ new_pos = ftell(f);
|
|
+ if (c == (EOF) || old_pos != new_pos)
|
|
+ break;
|
|
+ switch (c)
|
|
{
|
|
case 0:
|
|
case '\n':
|
|
--
|
|
2.27.0
|
|
|