From b1693b62c7a9e472d441b7886ad5ec9a5dd1c6c5 Mon Sep 17 00:00:00 2001
From: Stas Degteff <stas_degteff@users.sourceforge.net>
Date: Sat, 12 Feb 2011 22:02:48 +0000
Subject: [PATCH] Prevent buffer overflow in charset names. Bugreport from
 Semen Panevin 2:5025/121

---
 golded3/gccfgg8.cpp | 18 ++++++++++++++++++
 golded3/gcmisc.cpp  | 31 +++++++++++++++++++++++++++++--
 2 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/golded3/gccfgg8.cpp b/golded3/gccfgg8.cpp
index 788a8f5..58f7660 100644
--- a/golded3/gccfgg8.cpp
+++ b/golded3/gccfgg8.cpp
@@ -598,10 +598,28 @@ void CfgXlatcharset() {
 
   Map xlt;
   char* ptr = strtok(val, " \t\n\r");
+  short maxtokenlen = sizeof(xlt.imp)-1;
   if(ptr) {
+    if(strlen(ptr) > maxtokenlen) {
+      STD_PRINT("* XLATCHARSET parser: Parameter '" << ptr
+          << "' too long. It is supposed no more than " << maxtokenlen << " characters. A line 'XLATCHARSET "
+          <<  ptr);
+      STD_PRINTNL(ptr+strlen(ptr)+1 << "' ignored.");
+      cfgerrors++;
+      return;
+    }
     strchg(strupr(strcpy(xlt.imp, ptr)), '_', ' ');
     ptr = strtok(NULL, " \t\n\r");
     if(ptr) {
+      if(strlen(ptr) > maxtokenlen) {
+        STD_PRINT("* XLATCHARSET parser: Parameter '" << ptr
+            << "' too long. It is supposed no more than " << maxtokenlen << " characters. A line 'XLATCHARSET "
+            <<  xlt.imp << " " << ptr);
+        STD_PRINTNL(ptr+strlen(ptr)+1 << "' ignored.");
+        cfgerrors++;
+        xlt.imp[0] = '\0';
+        return;
+      }
       strchg(strupr(strcpy(xlt.exp, ptr)), '_', ' ');
       ptr = strtok(NULL, " \t\n\r");
       if(ptr) {
diff --git a/golded3/gcmisc.cpp b/golded3/gcmisc.cpp
index 77c367f..21d8be3 100644
--- a/golded3/gcmisc.cpp
+++ b/golded3/gcmisc.cpp
@@ -680,7 +680,20 @@ void ReadXlatTables()
                     }
                     break;
                   case 4:
-                    strcpy(ChsTable.imp, strbtrim(ptr));
+                    {
+                      char *tp = strbtrim(ptr);
+                      if(strlen(tp) >= sizeof(ChsTable.imp)) {
+                        STD_PRINTNL("* " << AddPath(CFG->xlatpath, xlt->mapfile) << ": At line 4 charset name '" << tp
+                           << "' too long. It is supposed no more than " << sizeof(ChsTable.imp)-1 << " characters. A file ignored.");
+                        cfgerrors++;
+                        ifp.Lseek(0, SEEK_END);
+                        ChsTable.displaylevel = 0;
+                        ChsTable.level = 0;
+                        ChsTable.version = 0;
+                        ChsTable.id = 0;
+                      }
+                      else strcpy(ChsTable.imp, strbtrim(ptr));
+                    }
                     break;
                   case 5:
                     if (ChsTable.level && ChsTable.version!=-1)
@@ -689,7 +702,21 @@ void ReadXlatTables()
                                strbtrim(ptr), ChsTable.level);
                     }
                     else
-                      strcpy(ChsTable.exp, strbtrim(ptr));
+                    {
+                      char *tp = strbtrim(ptr);
+                      if(strlen(tp) >= sizeof(ChsTable.exp)) {
+                        STD_PRINTNL("* " << AddPath(CFG->xlatpath, xlt->mapfile) << ": At line 4 charset name '" << tp
+                            << "' too long. It is supposed no more than " << sizeof(ChsTable.exp)-1 << " characters. A file ignored.");
+                        cfgerrors++;
+                        ifp.Lseek(0, SEEK_END);
+                        ChsTable.displaylevel = 0;
+                        ChsTable.level = 0;
+                        ChsTable.version = 0;
+                        ChsTable.id = 0;
+                        ChsTable.imp[0] = '\0';
+                      }
+                      else strcpy(ChsTable.exp, strbtrim(ptr));
+                    }
                     break;
                 }
               }