[Debian-hebrew-package] Fwd: Small fix for bidiv, might have security implications

[Shachar Raindel]

I forward this e-mail to you as well since it seems that you might
also be related to this package maintenance

---------- Forwarded message ----------
From: Shachar Raindel <shacharr at gmail.com>
Date: Jan 7, 2006 11:45 AM
Subject: Small fix for bidiv, might have security implications
To: Nadav Har'El <nyh at math.technion.ac.il>, baruch at debian.org


Hi,
  After having bidiv crashing on me when using it to filter a
directory listing, I took the time to run it through valgrind. I found
out that when allocating the Unicode storage strings (unicode_in and
unicode_out), you allocated 1 char less then the needed amount (it is
necessary to have a place for the null terminator as well as the whole
line), therefore overwriting the following heap content with 2 null
bytes. I haven't tried to exploit this, but it might (though very
unlikely) be possible to exploit this bug. I attach a patch against
the 1.4 version of bidiv which fixes this problem (and also frees the
memory it allocates when it is done with using it).

  Thanks for the great tool anyway.

    Regards,
    Shachar
-------------- next part --------------
--- bidiv-1.4/bidiv-orig.c	2006-01-07 11:15:38.000000000 +0200
+++ bidiv-1.4/bidiv.c	2006-01-07 11:30:56.000000000 +0200
@@ -67,8 +67,8 @@
 	in=(char *)malloc(width+1);
 	out=(char *)malloc(width*7+1); /* 7 is the maximum number of
 					  bytes in one UTF8 char? */
-	unicode_in=(FriBidiChar *)malloc(sizeof(FriBidiChar)*width);
-	unicode_out=(FriBidiChar *)malloc(sizeof(FriBidiChar)*width);
+	unicode_in=(FriBidiChar *)malloc(sizeof(FriBidiChar)*(width+1));
+	unicode_out=(FriBidiChar *)malloc(sizeof(FriBidiChar)*(width+1));
 
 	c=0;
 	while(c!=EOF){
@@ -212,6 +212,11 @@
 				putchar(' ');
 		puts(out);
 	}
+	// Free the memory we have allocated
+	free(in);
+	free(out);
+	free(unicode_in);
+	free(unicode_out);
 }
 
 int