diff options
Diffstat (limited to 'media-gfx/openscad/files/openscad-2021.01-CVE-2022-0496-Out-of-bounds-memory-access-in-DXF-loa.patch')
| -rw-r--r-- | media-gfx/openscad/files/openscad-2021.01-CVE-2022-0496-Out-of-bounds-memory-access-in-DXF-loa.patch | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/media-gfx/openscad/files/openscad-2021.01-CVE-2022-0496-Out-of-bounds-memory-access-in-DXF-loa.patch b/media-gfx/openscad/files/openscad-2021.01-CVE-2022-0496-Out-of-bounds-memory-access-in-DXF-loa.patch new file mode 100644 index 000000000000..6c0a9558e3fb --- /dev/null +++ b/media-gfx/openscad/files/openscad-2021.01-CVE-2022-0496-Out-of-bounds-memory-access-in-DXF-loa.patch @@ -0,0 +1,74 @@ +From https://github.com/openscad/openscad/commit/00a4692989c4e2f191525f73f24ad8727bacdf41 Mon Sep 17 00:00:00 2001 +From: Torsten Paul <Torsten.Paul@gmx.de> +Date: Sat, 5 Feb 2022 18:38:31 +0100 +Subject: [PATCH 01/11] CVE-2022-0496 Out-of-bounds memory access in DXF + loader. + +Public issue: +https://github.com/openscad/openscad/issues/4037 + +Fix in master branch: +https://github.com/openscad/openscad/pull/4090 +--- a/src/dxfdata.cc ++++ b/src/dxfdata.cc +@@ -441,6 +441,11 @@ DxfData::DxfData(double fn, double fs, double fa, + auto lv = grid.data(this->points[lines[idx].idx[j]][0], this->points[lines[idx].idx[j]][1]); + for (size_t ki = 0; ki < lv.size(); ++ki) { + int k = lv.at(ki); ++ if (k < 0 || k >= lines.size()) { ++ LOG(message_group::Warning,Location::NONE,"", ++ "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string())); ++ continue; ++ } + if (k == idx || lines[k].disabled) continue; + goto next_open_path_j; + } +@@ -466,13 +471,20 @@ DxfData::DxfData(double fn, double fs, double fa, + auto lv = grid.data(ref_point[0], ref_point[1]); + for (size_t ki = 0; ki < lv.size(); ++ki) { + int k = lv.at(ki); ++ if (k < 0 || k >= lines.size()) { ++ LOG(message_group::Warning,Location::NONE,"", ++ "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string())); ++ continue; ++ } + if (lines[k].disabled) continue; +- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) { ++ auto idk0 = lines[k].idx[0]; // make it easier to read and debug ++ auto idk1 = lines[k].idx[1]; ++ if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) { + current_line = k; + current_point = 0; + goto found_next_line_in_open_path; + } +- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) { ++ if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) { + current_line = k; + current_point = 1; + goto found_next_line_in_open_path; +@@ -501,13 +513,20 @@ DxfData::DxfData(double fn, double fs, double fa, + auto lv = grid.data(ref_point[0], ref_point[1]); + for (size_t ki = 0; ki < lv.size(); ++ki) { + int k = lv.at(ki); ++ if (k < 0 || k >= lines.size()) { ++ LOG(message_group::Warning,Location::NONE,"", ++ "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string())); ++ continue; ++ } + if (lines[k].disabled) continue; +- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) { ++ auto idk0 = lines[k].idx[0]; // make it easier to read and debug ++ auto idk1 = lines[k].idx[1]; ++ if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) { + current_line = k; + current_point = 0; + goto found_next_line_in_closed_path; + } +- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) { ++ if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) { + current_line = k; + current_point = 1; + goto found_next_line_in_closed_path; +-- +2.35.1 + |