enscript-CVE-2004-1184+CVE-2004-1185+CVE-2004-1186.patch   [plain text]


diff -r -u -N --exclude='*.orig' enscript-1.6.4.orig/src/gsint.h enscript-1.6.4/src/gsint.h
--- enscript-1.6.4.orig/src/gsint.h	2003-03-04 23:37:06.000000000 -0800
+++ enscript-1.6.4/src/gsint.h	2009-02-09 16:26:59.000000000 -0800
@@ -701,4 +701,9 @@
  */
 void printer_close ___P ((void *context));
 
+/*
+ * Escape filenames for shell usage
+ */
+char *shell_escape ___P ((const char *fn));
+
 #endif /* not GSINT_H */
diff -r -u -N --exclude='*.orig' enscript-1.6.4.orig/src/main.c enscript-1.6.4/src/main.c
--- enscript-1.6.4.orig/src/main.c	2003-03-04 23:36:32.000000000 -0800
+++ enscript-1.6.4/src/main.c	2009-02-09 16:26:59.000000000 -0800
@@ -1546,9 +1546,13 @@
       buffer_append (&cmd, intbuf);
       buffer_append (&cmd, " ");
 
-      buffer_append (&cmd, "-Ddocument_title=\"");
-      buffer_append (&cmd, title);
-      buffer_append (&cmd, "\" ");
+      buffer_append (&cmd, "-Ddocument_title=\'");
+      if ((cp = shell_escape (title)) != NULL)
+	{
+	  buffer_append (&cmd, cp);
+	  free (cp);
+	}
+      buffer_append (&cmd, "\' ");
 
       buffer_append (&cmd, "-Dtoc=");
       buffer_append (&cmd, toc ? "1" : "0");
@@ -1565,8 +1569,14 @@
       /* Append input files. */
       for (i = optind; i < argc; i++)
 	{
-	  buffer_append (&cmd, " ");
-	  buffer_append (&cmd, argv[i]);
+	  char *cp;
+	  if ((cp = shell_escape (argv[i])) != NULL)
+	    {
+	      buffer_append (&cmd, " \'");
+	      buffer_append (&cmd, cp);
+	      buffer_append (&cmd, "\'");
+	      free (cp);
+	    }
 	}
 
       /* And do the job. */
@@ -1627,7 +1637,7 @@
 				 buffer_ptr (opts), buffer_len (opts));
 	    }
 
-	  buffer_append (&buffer, " \"%s\"");
+	  buffer_append (&buffer, " \'%s\'");
 
 	  input_filter = buffer_copy (&buffer);
 	  input_filter_stdin = "-";
diff -r -u -N --exclude='*.orig' enscript-1.6.4.orig/src/psgen.c enscript-1.6.4/src/psgen.c
--- enscript-1.6.4.orig/src/psgen.c	2003-03-04 23:36:53.000000000 -0800
+++ enscript-1.6.4/src/psgen.c	2009-02-09 16:30:11.000000000 -0800
@@ -2034,8 +2034,9 @@
   else
     {
       ftail++;
-      strncpy (buf, fname, ftail - fname);
-      buf[ftail - fname] = '\0';
+      i = ftail - fname >= sizeof (buf)-1 ? sizeof (buf)-1 : ftail - fname;
+      strncpy (buf, fname, i);
+      buf[i] = '\0';
     }
 
   if (nup > 1)
@@ -2385,9 +2386,10 @@
   MESSAGE (2, (stderr, "^@epsf=\"%s\"\n", token->u.epsf.filename));
 
   i = strlen (token->u.epsf.filename);
+  /*
   if (i > 0 && token->u.epsf.filename[i - 1] == '|')
     {
-      /* Read EPS data from pipe. */
+      / * Read EPS data from pipe. * /
       token->u.epsf.pipe = 1;
       token->u.epsf.filename[i - 1] = '\0';
       token->u.epsf.fp = popen (token->u.epsf.filename, "r");
@@ -2400,6 +2402,7 @@
 	}
     }
   else
+  */
     {
       char *filename;
 
diff -r -u -N --exclude='*.orig' enscript-1.6.4.orig/src/util.c enscript-1.6.4/src/util.c
--- enscript-1.6.4.orig/src/util.c	2003-03-04 23:26:32.000000000 -0800
+++ enscript-1.6.4/src/util.c	2009-02-09 16:28:12.000000000 -0800
@@ -1239,6 +1239,8 @@
 
   /* Create result. */
   cp = xmalloc (len + 1);
+  if (cp == NULL)
+      return NULL;
   for (i = 0, j = 0; string[i]; i++)
     switch (string[i])
       {
@@ -1879,6 +1881,7 @@
       char *cmd = NULL;
       int cmdlen;
       int i, pos;
+      char *cp;
 
       is->is_pipe = 1;
 
@@ -1902,12 +1905,16 @@
 		{
 		case 's':
 		  /* Expand cmd-buffer. */
-		  cmdlen += strlen (fname);
-		  cmd = xrealloc (cmd, cmdlen);
+		  if ((cp = shell_escape (fname)) != NULL)
+		    {
+		      cmdlen += strlen (cp);
+		      cmd = xrealloc (cmd, cmdlen);
 
-		  /* Paste filename. */
-		  strcpy (cmd + pos, fname);
-		  pos += strlen (fname);
+		      /* Paste filename. */
+		      strcpy (cmd + pos, cp);
+		      pos += strlen (cp);
+		      free (cp);
+		    }
 
 		  i++;
 		  break;
@@ -1991,12 +1998,13 @@
   if (is->bufpos >= is->data_in_buf)
     {
       /* At the EOF? */
-      if (is->nreads > 0 && is->data_in_buf < sizeof (is->buf))
+      if (is->nreads > 0 && is->data_in_buf <= 0)
 	/* Yes. */
 	return EOF;
 
       /* Read more data. */
-      is->data_in_buf = fread (is->buf, 1, sizeof (is->buf), is->fp);
+      memset (is->buf, 0, sizeof (is->buf));
+      is->data_in_buf = fread (is->buf, 1, sizeof (is->buf)-1, is->fp);
       is->bufpos = 0;
       is->nreads++;
 
@@ -2116,3 +2124,36 @@
 {
   return buffer->len;
 }
+
+/*
+ * Escapes the name of a file so that the shell groks it in 'single'
+ * quotation marks.  The resulting pointer has to be free()ed when not
+ * longer used.
+*/
+char *
+shell_escape(const char *fn)
+{
+  size_t len = 0;
+  const char *inp;
+  char *retval, *outp;
+
+  for(inp = fn; *inp; ++inp)
+    switch(*inp)
+    {
+      case '\'': len += 4; break;
+      default:   len += 1; break;
+    }
+
+  outp = retval = malloc(len + 1);
+  if(!outp)
+    return NULL; /* perhaps one should do better error handling here */
+  for(inp = fn; *inp; ++inp)
+    switch(*inp)
+    {
+      case '\'': *outp++ = '\''; *outp++ = '\\'; *outp++ = '\'', *outp++ = '\''; break;
+      default:   *outp++ = *inp; break;
+    }
+  *outp = 0;
+
+  return retval;
+}