commit ebc08cff36689eec54edc1ce2de6ebac826bd6cd
Author: Peter Marko <peter.marko@siemens.com>
Date:   Fri Apr 12 23:56:25 2024 +0200

check return value of _nc_save_str(), in special case for tic where
extended capabilities are processed but the terminal description was
not initialized (report by Ziqiao Kong).

Only parts relevant for this CVE was extracted from upstream patch.

CVE: CVE-2023-45853
Upstream-Status: Backport [https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz]

Signed-off-by: Peter Marko <peter.marko@siemens.com>

---
 ncurses/tinfo/parse_entry.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
index a77cd0b..8ac02ac 100644
--- a/ncurses/tinfo/parse_entry.c
+++ b/ncurses/tinfo/parse_entry.c
@@ -110,7 +110,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
 	/* Well, we are given a cancel for a name that we don't recognize */
 	return _nc_extend_names(entryp, name, STRING);
     default:
-	return 0;
+	return NULL;
     }
 
     /* Adjust the 'offset' (insertion-point) to keep the lists of extended
@@ -142,6 +142,11 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
 	for (last = (unsigned) (max - 1); last > tindex; last--)
 
     if (!found) {
+	char *saved;
+
+	if ((saved = _nc_save_str(name)) == NULL)
+	    return NULL;
+
 	switch (token_type) {
 	case BOOLEAN:
 	    tp->ext_Booleans++;
@@ -169,7 +174,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
 	TYPE_REALLOC(char *, actual, tp->ext_Names);
 	while (--actual > offset)
 	    tp->ext_Names[actual] = tp->ext_Names[actual - 1];
-	tp->ext_Names[offset] = _nc_save_str(name);
+	tp->ext_Names[offset] = saved;
     }
 
     temp.nte_name = tp->ext_Names[offset];
@@ -337,6 +342,8 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
 	bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0);
 	bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0);
 	if (is_use || is_tc) {
+	    char *saved;
+
 	    if (!VALID_STRING(_nc_curr_token.tk_valstring)
 		|| _nc_curr_token.tk_valstring[0] == '\0') {
 		_nc_warning("missing name for use-clause");
@@ -350,11 +357,13 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
 			    _nc_curr_token.tk_valstring);
 		continue;
 	    }
-	    entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
-	    entryp->uses[entryp->nuses].line = _nc_curr_line;
-	    entryp->nuses++;
-	    if (entryp->nuses > 1 && is_tc) {
-		BAD_TC_USAGE
+	    if ((saved = _nc_save_str(_nc_curr_token.tk_valstring)) != NULL) {
+		entryp->uses[entryp->nuses].name = saved;
+		entryp->uses[entryp->nuses].line = _nc_curr_line;
+		entryp->nuses++;
+		if (entryp->nuses > 1 && is_tc) {
+		    BAD_TC_USAGE
+		}
 	    }
 	} else {
 	    /* normal token lookup */