ezxml: cherry-pick the patch from netcdf

sylvestre · davidcl · commit 7ad00741e3c3 · 2022-11-03T11:24:02.000Z
Unidata/netcdf-c#2125 Fix CVE-2022-30045 Reported: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014391 Credits to Dennis Heimbigner
diff --git a/scilab/modules/scicos/src/c/ezxml.c b/scilab/modules/scicos/src/c/ezxml.c
@@ -303,6 +303,11 @@ char *ezxml_decode(char *s, char **ent, char t)
 
                 if (e)
                 {
+                    if(c > strlen(s) || strlen(e) > strlen(s + c)) {
+                        fprintf(stderr, "Error: ezxml_decode(): memmove() past end of buffer!");
+                        exit(-1);
+                    }
+
                     memmove(s + c, e + 1, strlen(e)); // shift rest of string
                     strncpy(s, ent[b], c); // copy in replacement text
                 }

Original file line number	Diff line number	Diff line change
`@@ -303,6 +303,11 @@ char ezxml_decode(char s, char **ent, char t)`
`303`	`303`
`304`	`304`	`if (e)`
`305`	`305`	`{`
	`306`	`+ if(c > strlen(s) \|\| strlen(e) > strlen(s + c)) {`
	`307`	`+ fprintf(stderr, "Error: ezxml_decode(): memmove() past end of buffer!");`
	`308`	`+ exit(-1);`
	`309`	`+ }`
	`310`	`+`
`306`	`311`	`memmove(s + c, e + 1, strlen(e)); // shift rest of string`
`307`	`312`	`strncpy(s, ent[b], c); // copy in replacement text`
`308`	`313`	`}`