21465165 problem in UTILITY/GRAPHVIZ
authorYiteng Zhang <yiteng.zhang@oracle.com>
Wed, 03 Aug 2016 15:33:19 -0700
changeset 6544 f3ddf1d33382
parent 6543 b5c03b086e6d
child 6546 b7f8bb4a1c18
21465165 problem in UTILITY/GRAPHVIZ
components/graphviz/patches/000-7aaddf5-buffer-overflow.patch
components/graphviz/patches/001-d266bb2-buffer-overflow.patch
components/graphviz/patches/002-1d1bdec-buffer-overflow.patch
components/graphviz/patches/003-99eda42-format-string.patch
components/graphviz/patches/004-495f781-format-string.patch
components/graphviz/patches/005-10a1322-format-string.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/graphviz/patches/000-7aaddf5-buffer-overflow.patch	Wed Aug 03 15:33:19 2016 -0700
@@ -0,0 +1,51 @@
+From 7aaddf52cd98589fb0c3ab72a393f8411838438a Mon Sep 17 00:00:00 2001
+From: "Emden R. Gansner" <[email protected]>
+Date: Fri, 4 Oct 2013 09:06:39 -0400
+Subject: [PATCH] Fix buffer overflow problem when reporting a syntax error
+ with a very long input line
+
+---
+ lib/cgraph/scan.l | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index 3cfde0f..2efd203 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
[email protected]@ -16,6 +16,7 @@
+ %{
+ #include <grammar.h>
+ #include <cghdr.h>
++#include <agxbuf.h>
+ #include <ctype.h>
+ #define GRAPH_EOF_TOKEN		'@'		/* lex class must be defined below */
+ 	/* this is a workaround for linux flex */
[email protected]@ -191,13 +192,21 @@ ID		({NAME}|{NUMBER})
+ %%
+ void yyerror(char *str)
+ {
++	unsigned char	xbuf[BUFSIZ];
+ 	char	buf[BUFSIZ];
+-	if (InputFile)
+-		sprintf(buf,"%s:%d: %s in line %d near '%s'\n",InputFile, line_num,
+-			str,line_num,yytext);
+-	else
+-		sprintf(buf," %s in line %d near '%s'\n", str,line_num,yytext);
+-	agerr(AGWARN,buf);
++	agxbuf  xb;
++
++	agxbinit(&xb, BUFSIZ, xbuf);
++	if (InputFile) {
++		agxbput (&xb, InputFile);
++		agxbput (&xb, ": ");
++	}
++	sprintf(buf," %s in line %d near '", str,line_num);
++	agxbput (&xb, buf);
++	agxbput (&xb, yytext);
++	agxbput (&xb,"'\n");
++	agerr(AGWARN,agxbuse(&xb));
++	agxbfree(&xb);
+ }
+ /* must be here to see flex's macro defns */
+ void aglexeof() { unput(GRAPH_EOF_TOKEN); }
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/graphviz/patches/001-d266bb2-buffer-overflow.patch	Wed Aug 03 15:33:19 2016 -0700
@@ -0,0 +1,24 @@
+From d266bb2b4154d11c27252b56d86963aef4434750 Mon Sep 17 00:00:00 2001
+From: "Emden R. Gansner" <[email protected]>
+Date: Tue, 7 Jan 2014 10:45:36 -0500
+Subject: [PATCH] Prevent possible buffer overflow in yyerror()
+
+---
+ lib/cgraph/scan.l | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index 3efe1d5..212967c 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
[email protected]@ -201,7 +201,8 @@ void yyerror(char *str)
+ 		agxbput (&xb, InputFile);
+ 		agxbput (&xb, ": ");
+ 	}
+-	sprintf(buf," %s in line %d near '", str,line_num);
++	agxbput (&xb, str);
++	sprintf(buf," in line %d near '", line_num);
+ 	agxbput (&xb, buf);
+ 	agxbput (&xb, yytext);
+ 	agxbput (&xb,"'\n");
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/graphviz/patches/002-1d1bdec-buffer-overflow.patch	Wed Aug 03 15:33:19 2016 -0700
@@ -0,0 +1,56 @@
+From 1d1bdec6318746f6f19f245db589eddc887ae8ff Mon Sep 17 00:00:00 2001
+From: "Emden R. Gansner" <[email protected]>
+Date: Wed, 8 Jan 2014 11:31:04 -0500
+Subject: [PATCH] Fix possible buffer overflow problem in chkNum of scanner.
+
+---
+ lib/cgraph/scan.l | 35 ++++++++++++++++++++++++++---------
+ 1 file changed, 26 insertions(+), 9 deletions(-)
+
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index 212967c..d065b61 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
[email protected]@ -129,15 +129,32 @@ static void ppDirective (void)
+  * and report this to the user.
+  */
+ static int chkNum(void) {
+-  unsigned char	c = (unsigned char)yytext[yyleng-1];   /* last character */
+-  if (!isdigit(c) && (c != '.')) {  /* c is letter */
+-	char	buf[BUFSIZ];
+-	sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile);
+-    strcat (buf, "splits into two name tokens\n");
+-	agerr(AGWARN,buf);
+-    return 1;
+-  }
+-  else return 0;
++    unsigned char c = (unsigned char)yytext[yyleng-1];   /* last character */
++    if (!isdigit(c) && (c != '.')) {  /* c is letter */
++	unsigned char xbuf[BUFSIZ];
++	char buf[BUFSIZ];
++	agxbuf  xb;
++	char* fname;
++
++	if (InputFile)
++	    fname = InputFile;
++	else
++	    fname = "input";
++
++	agxbinit(&xb, BUFSIZ, xbuf);
++
++	agxbput(&xb,"syntax ambiguity - badly delimited number '");
++	agxbput(&xb,yytext);
++	sprintf(buf,"' in line %d of ", line_num);
++	agxbput(&xb,buf);
++	agxbput(&xb,fname);
++	agxbput(&xb, " splits into two tokens\n");
++	agerr(AGWARN,agxbuse(&xb));
++
++	agxbfree(&xb);
++	return 1;
++    }
++    else return 0;
+ }
+ 
+ /* The LETTER class below consists of ascii letters, underscore, all non-ascii
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/graphviz/patches/003-99eda42-format-string.patch	Wed Aug 03 15:33:19 2016 -0700
@@ -0,0 +1,34 @@
+This patch is taken from upstream and modified to adjust our currently
+released version.
+
+From 99eda421f7ddc27b14e4ac1d2126e5fe41719081 Mon Sep 17 00:00:00 2001
+From: "Emden R. Gansner" <[email protected]>
+Date: Mon, 24 Nov 2014 14:32:58 -0500
+Subject: [PATCH] Fix format string vulnerability in using agerr() to report
+ errors during parsing. We now use a fixed format %s, and pass the error
+ string as an argument.
+
+---
+ lib/cgraph/scan.l | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index 85a150a..a5872f4 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
[email protected]@ -225,6 +225,7 @@ ID		({NAME}|{NUMBER})
+ <hstring>([^><\n]*)		addstr(yytext);
+ .						return (yytext[0]);
+ %%
++ 
+ void yyerror(char *str)
+ {
+ 	unsigned char	xbuf[BUFSIZ];
[email protected]@ -273,7 +274,7 @@ void yyerror(char *str)
+	agxbput (&xb, yytext);
+	agxbput (&xb,"'\n");
+-	agerr(AGWARN,agxbuse(&xb));
++	agerr(AGWARN, "%s", agxbuse(&xb));
+ 	agxbfree(&xb);
+ }
+ /* must be here to see flex's macro defns */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/graphviz/patches/004-495f781-format-string.patch	Wed Aug 03 15:33:19 2016 -0700
@@ -0,0 +1,33 @@
+From 495f781f91dca1fb165bbaa6abc0ced1c09535c8 Mon Sep 17 00:00:00 2001
+From: Tomas Hoger <[email protected]>
+Date: Wed, 20 May 2015 11:15:32 +0200
+Subject: [PATCH] Fix agerr() format string issue in chkNum()
+
+Commit 99eda42 fixed agerr() format string issue in yyerror(), but the
+same fix is also needed for chkNum().  In chkNum(), format string can be
+injected at least via malicious file name:
+
+  $ cat fs4-%n%s%s%s%s%s%s.dot
+  graph G { a [ weight = 0g ] }
+
+  $ dot fs4-%n%s%s%s%s%s%s.dot
+  Warning: *** %n in writable segment detected ***
+  Aborted
+---
+ lib/cgraph/scan.l | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index a5872f4..6aef10b 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
[email protected]@ -165,7 +165,7 @@ static int chkNum(void) {
+ 	agxbput(&xb,buf);
+ 	agxbput(&xb,fname);
+ 	agxbput(&xb, " splits into two tokens\n");
+-	agerr(AGWARN,agxbuse(&xb));
++	agerr(AGWARN, "%s", agxbuse(&xb));
+ 
+ 	agxbfree(&xb);
+ 	return 1;
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/graphviz/patches/005-10a1322-format-string.patch	Wed Aug 03 15:33:19 2016 -0700
@@ -0,0 +1,56 @@
+From 10a132289ffe4ed9a398bebca13cb41c1006bd13 Mon Sep 17 00:00:00 2001
+From: Tomas Hoger <[email protected]>
+Date: Wed, 20 May 2015 11:22:11 +0200
+Subject: [PATCH 2/2] Additional agerr() format string fixes
+
+Similar to commit 99eda42, ensure the second argument to agerr() is
+fixed string with no user inputs.  Change applied to:
+
+* cmd/tools/gmlscan.l - unclear if this can be exploited in practice, as
+  only yytext can possibly hold format string
+* lib/graph/lexer.c - format string can be injected via graph file
+  content.  Note that libgraph is deprecated as of version 2.30.0, so
+  this fix is more relevant for older graphviz versions.
+---
+ cmd/tools/gmlscan.l | 2 +-
+ lib/graph/lexer.c   | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/cmd/tools/gmlscan.l b/cmd/tools/gmlscan.l
+index ea8db0f..e83ca4f 100644
+--- a/cmd/tools/gmlscan.l
++++ b/cmd/tools/gmlscan.l
[email protected]@ -127,7 +127,7 @@ void yyerror(char *str)
+ 	return;
+     errors = 1;
+     sprintf(buf," %s in line %d near '%s'\n", str,line_num,yytext);
+-    agerr(AGWARN,buf);
++    agerr(AGWARN, "%s", buf);
+ }
+ 
+ int gmlerrors()
+diff --git a/lib/graph/lexer.c b/lib/graph/lexer.c
+index 05452c8..790563b 100644
+--- a/lib/graph/lexer.c
++++ b/lib/graph/lexer.c
[email protected]@ -460,16 +460,16 @@ static void error_context(void)
+     if (buf < p) {
+ 	c = *p;
+ 	*p = '\0';
+-	agerr(AGPREV, buf);
++	agerr(AGPREV, "%s", buf);
+ 	*p = c;
+     }
+     agerr(AGPREV, " >>> ");
+     c = *LexPtr;
+     *LexPtr = '\0';
+-    agerr(AGPREV, p);
++    agerr(AGPREV, "%s", p);
+     *LexPtr = c;
+     agerr(AGPREV, " <<< ");
+-    agerr(AGPREV, LexPtr);
++    agerr(AGPREV, "%s", LexPtr);
+ }
+ 
+ void agerror(char *msg)
+