Re: [Aspell-user] Gentoo Advisory

[Kevin Atkinson]

On Mon, 21 Jun 2004, Victor Tsang wrote:

> Came across this on linuxtoday.com
> 
> http://linuxtoday.com/security/2004062101226SCSW
> 
> which mention a buffer overflow in the 'word-list-compress' utility.
> 
> checking aspell main site, it doesn't seems to mention this bug nor
> provided any fixes.

No one bothered to tell me about it!

You can find the advisory here http://nettwerked.mg2.org/advisories/wlc.  
The patch they provide is bogus.

Attached is a correct fix for the problem.

-- 
http://kevin.atkinson.dhs.org

Index: compress.c
===================================================================
RCS file: /cvsroot/aspell/aspell/prog/compress.c,v
retrieving revision 1.3
diff -u -r1.3 compress.c
--- compress.c  9 Sep 2002 20:56:10 -0000       1.3
+++ compress.c  23 Jun 2004 08:24:01 -0000
@@ -28,24 +28,28 @@
 
 #endif
 
+#define BUFSIZE 256
+
 void usage () 
 {
   fputs("Compresses or uncompresses sorted word lists.\n"     , stderr);
   fputs("For best result the locale should be set to C\n"    , stderr);
   fputs("before sorting by setting the environmental\n"       , stderr);
   fputs("variable LANG to \"C\" before sorting.\n"            , stderr);
-  fputs("Copyright 2001 by Kevin Atkinson.\n"  , stderr);
+  fputs("Copyright 2001,2004 by Kevin Atkinson.\n"  , stderr);
   fputs("Usage: word-list-compress c[ompress]|d[ecompress]\n" , stderr);
 }
 
-static int get_word(FILE * in, char * w) 
+// bufsize > 2
+static int get_word(FILE * in, char * w, size_t bufsize) 
 {
   int c;
   while (c = getc(in), c != EOF && c <= 32);
   if (c == EOF) return 0;
   do {
     *w++ = (char)(c);
-  } while (c = getc(in), c != EOF && c > 32);
+    --bufsize;
+  } while (c = getc(in), c != EOF && c > 32 && bufsize > 1);
   *w = '\0';
   ungetc(c, in);
   if (c == EOF) return 0;
@@ -61,15 +65,15 @@
     
   } else if (argv[1][0] == 'c') {
 
-    char s1[256];
-    char s2[256];
+    char s1[BUFSIZE];
+    char s2[BUFSIZE];
     char * prev = s2;
     char * cur = s1;
     *prev = '\0';
 
     SETBIN (stdout);
 
-    while (get_word(stdin, cur)) {
+    while (get_word(stdin, cur, BUFSIZE)) {
       int i = 0;
       /* get the length of the prefix */
       while (prev[i] != '\0' && cur[i] != '\0' && prev[i] == cur[i])
@@ -99,9 +103,11 @@
     while (i != -1 ) {
       if (i == 0)
        i = getc(stdin);
-      --i;  
-      while ((c = getc(stdin)) > 32)
+      --i;
+      if (i < 0) goto error;
+      while ((c = getc(stdin)) > 32 && i < BUFSIZE)
        cur[i++] = (char)c;
+      if (i == BUFSIZE) goto error;
       cur[i] = '\0';
       fputs(cur, stdout);
       putc('\n', stdout);
@@ -109,6 +115,10 @@
     }
     return 0;
 
+   error:
+    fputs("ERROR: Corrupt Input.\n", stderr);
+    return 2;
+
   } else {
 
     usage();

_______________________________________________
Aspell-user mailing list
[EMAIL PROTECTED]
http://lists.gnu.org/mailman/listinfo/aspell-user