From bcf02d3242f1c7d57224a95f7903fcf4b5e7695d Mon Sep 17 00:00:00 2001
From: Thomas E. Dickey <dickey@invisible-island.net>
Date: Fri, 16 Jun 2023 02:54:29 +0530
Subject: [PATCH] Fix CVE-2023-45918

CVE: CVE-2023-45918

Upstream-Status: Backport [https://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=bcf02d3242f1c7d57224a95f7903fcf4b5e7695d]

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
 ncurses/tinfo/comp_error.c | 15 ++++++---
 ncurses/tinfo/read_entry.c | 65 ++++++++++++++++++++++++++------------
 2 files changed, 56 insertions(+), 24 deletions(-)

diff --git a/ncurses/tinfo/comp_error.c b/ncurses/tinfo/comp_error.c
index 48f48784..ee518e28 100644
--- a/ncurses/tinfo/comp_error.c
+++ b/ncurses/tinfo/comp_error.c
@@ -60,8 +60,15 @@ _nc_get_source(void)
 NCURSES_EXPORT(void)
 _nc_set_source(const char *const name)
 {
-    FreeIfNeeded(SourceName);
-    SourceName = strdup(name);
+    if (name == NULL) {
+	free(SourceName);
+	SourceName = NULL;
+    } else if (SourceName == NULL) {
+	SourceName = strdup(name);
+    } else if (strcmp(name, SourceName)) {
+	free(SourceName);
+	SourceName = strdup(name);
+    }
 }

 NCURSES_EXPORT(void)
@@ -95,9 +102,9 @@ static NCURSES_INLINE void
 where_is_problem(void)
 {
     fprintf(stderr, "\"%s\"", SourceName ? SourceName : "?");
-    if (_nc_curr_line >= 0)
+    if (_nc_curr_line > 0)
	fprintf(stderr, ", line %d", _nc_curr_line);
-    if (_nc_curr_col >= 0)
+    if (_nc_curr_col > 0)
	fprintf(stderr, ", col %d", _nc_curr_col);
     if (TermType != 0 && TermType[0] != '\0')
	fprintf(stderr, ", terminal '%s'", TermType);
diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
index 8ccb1570..101bbe09 100644
--- a/ncurses/tinfo/read_entry.c
+++ b/ncurses/tinfo/read_entry.c
@@ -140,12 +140,13 @@ convert_16bits(char *buf, NCURSES_INT2 *Numbers, int count)
 }
 #endif

-static void
-convert_strings(char *buf, char **Strings, int count, int size, char *table)
+static bool
+convert_strings(char *buf, char **Strings, int count, int size,
+		char *table, bool always)
 {
     int i;
     char *p;
-    bool corrupt = FALSE;
+    bool success = TRUE;

     for (i = 0; i < count; i++) {
	if (IS_NEG1(buf + 2 * i)) {
@@ -161,13 +162,10 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
		TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
				    _nc_visbuf(Strings[i])));
	    } else {
-		if (!corrupt) {
-		    corrupt = TRUE;
-		    TR(TRACE_DATABASE,
-		       ("ignore out-of-range index %d to Strings[]", nn));
-		    _nc_warning("corrupt data found in convert_strings");
-		}
-		Strings[i] = ABSENT_STRING;
+		TR(TRACE_DATABASE,
+		   ("found out-of-range index %d to Strings[%d]", nn, i));
+		success = FALSE;
+		break;
	    }
	}

@@ -177,10 +175,25 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
		if (*p == '\0')
		    break;
	    /* if there is no NUL, ignore the string */
-	    if (p >= table + size)
+	    if (p >= table + size) {
		Strings[i] = ABSENT_STRING;
+	    } else if (p == Strings[i] && always) {
+		TR(TRACE_DATABASE,
+		   ("found empty but required Strings[%d]", i));
+		success = FALSE;
+		break;
+	    }
+	} else if (always) {	/* names are always needed */
+	    TR(TRACE_DATABASE,
+	       ("found invalid but required Strings[%d]", i));
+	    success = FALSE;
+	    break;
	}
     }
+    if (!success) {
+	_nc_warning("corrupt data found in convert_strings");
+    }
+    return success;
 }

 static int
@@ -383,7 +396,10 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit)
	if (Read(string_table, (unsigned) str_size) != str_size) {
	    returnDB(TGETENT_NO);
	}
-	convert_strings(buf, ptr->Strings, str_count, str_size, string_table);
+	if (!convert_strings(buf, ptr->Strings, str_count, str_size,
+			     string_table, FALSE)) {
+	    returnDB(TGETENT_NO);
+	}
     }
 #if NCURSES_XNAMES

@@ -484,8 +500,10 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit)
	       ("Before computing extended-string capabilities "
		"str_count=%d, ext_str_count=%d",
		str_count, ext_str_count));
-	    convert_strings(buf, ptr->Strings + str_count, ext_str_count,
-			    ext_str_limit, ptr->ext_str_table);
+	    if (!convert_strings(buf, ptr->Strings + str_count, ext_str_count,
+				 ext_str_limit, ptr->ext_str_table, FALSE)) {
+		returnDB(TGETENT_NO);
+	    }
	    for (i = ext_str_count - 1; i >= 0; i--) {
		TR(TRACE_DATABASE, ("MOVE from [%d:%d] %s",
				    i, i + str_count,
@@ -519,10 +537,13 @@ _nc_read_termtype(TERMTYPE2 *ptr, char *buffer, int limit)
	    TR(TRACE_DATABASE,
	       ("ext_NAMES starting @%d in extended_strings, first = %s",
		base, _nc_visbuf(ptr->ext_str_table + base)));
-	    convert_strings(buf + (2 * ext_str_count),
-			    ptr->ext_Names,
-			    (int) need,
-			    ext_str_limit, ptr->ext_str_table + base);
+	    if (!convert_strings(buf + (2 * ext_str_count),
+				 ptr->ext_Names,
+				 (int) need,
+				 ext_str_limit, ptr->ext_str_table + base,
+				 TRUE)) {
+		returnDB(TGETENT_NO);
+	    }
	}

	TR(TRACE_DATABASE,
@@ -575,13 +596,17 @@ _nc_read_file_entry(const char *const filename, TERMTYPE2 *ptr)
	int limit;
	char buffer[MAX_ENTRY_SIZE + 1];

-	if ((limit = (int) fread(buffer, sizeof(char), sizeof(buffer), fp))
-	    > 0) {
+	limit = (int) fread(buffer, sizeof(char), sizeof(buffer), fp);
+	if (limit > 0) {
+	    const char *old_source = _nc_get_source();

	    TR(TRACE_DATABASE, ("read terminfo %s", filename));
+	    if (old_source == NULL)
+		_nc_set_source(filename);
	    if ((code = _nc_read_termtype(ptr, buffer, limit)) == TGETENT_NO) {
		_nc_free_termtype2(ptr);
	    }
+	    _nc_set_source(old_source);
	} else {
	    code = TGETENT_NO;
	}
--
2.40.0