fixed heap use after free vulnerability CVE-2021-21900
as reported in TALOS-2021-1351 / CVE-2021-21900, DRW_TableEntry::parseCode had the potential to trigger an use after free exception with a malformed DXF file.
This commit is contained in:
parent
783a3faaeb
commit
47e0e3d0f3
|
@ -24,6 +24,7 @@
|
||||||
- Option to disable the automatic search for updates.
|
- Option to disable the automatic search for updates.
|
||||||
- [smart-pattern/valentina#153] To add text search bar in History window.
|
- [smart-pattern/valentina#153] To add text search bar in History window.
|
||||||
- Improve for a search bar.
|
- Improve for a search bar.
|
||||||
|
- Backport fix vulnerability CVE-2021-21900.
|
||||||
|
|
||||||
# Valentina 0.7.49 July 1, 2021
|
# Valentina 0.7.49 July 1, 2021
|
||||||
- Fix crash.
|
- Fix crash.
|
||||||
|
|
|
@ -48,26 +48,46 @@ void DRW_TableEntry::parseCode(int code, dxfReader *reader){
|
||||||
case 1011:
|
case 1011:
|
||||||
case 1012:
|
case 1012:
|
||||||
case 1013:
|
case 1013:
|
||||||
curr = new DRW_Variant();
|
// don't trust in X, Y, Z order!
|
||||||
curr->addCoord();
|
if (curr != nullptr)
|
||||||
|
{
|
||||||
curr->setCoordX(reader->getDouble());
|
curr->setCoordX(reader->getDouble());
|
||||||
curr->code = code;
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
curr = new DRW_Variant( code, DRW_Coord( reader->getDouble(), 0.0, 0.0));
|
||||||
extData.push_back(curr);
|
extData.push_back(curr);
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
case 1020:
|
case 1020:
|
||||||
case 1021:
|
case 1021:
|
||||||
case 1022:
|
case 1022:
|
||||||
case 1023:
|
case 1023:
|
||||||
if (curr)
|
// don't trust in X, Y, Z order!
|
||||||
|
if (curr != nullptr)
|
||||||
|
{
|
||||||
curr->setCoordY(reader->getDouble());
|
curr->setCoordY(reader->getDouble());
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
curr = new DRW_Variant(code, DRW_Coord( 0.0, reader->getDouble(), 0.0));
|
||||||
|
extData.push_back(curr);
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
case 1030:
|
case 1030:
|
||||||
case 1031:
|
case 1031:
|
||||||
case 1032:
|
case 1032:
|
||||||
case 1033:
|
case 1033:
|
||||||
if (curr)
|
// don't trust in X, Y, Z order!
|
||||||
|
if (curr != nullptr)
|
||||||
|
{
|
||||||
curr->setCoordZ(reader->getDouble());
|
curr->setCoordZ(reader->getDouble());
|
||||||
curr=nullptr;
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
curr = new DRW_Variant(code, DRW_Coord(0.0, 0.0, reader->getDouble()));
|
||||||
|
extData.push_back(curr);
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
case 1040:
|
case 1040:
|
||||||
case 1041:
|
case 1041:
|
||||||
|
|
|
@ -54,20 +54,15 @@ namespace DRW {
|
||||||
*/
|
*/
|
||||||
class DRW_TableEntry {
|
class DRW_TableEntry {
|
||||||
public:
|
public:
|
||||||
//initializes default values
|
|
||||||
DRW_TableEntry()
|
DRW_TableEntry()
|
||||||
: tType(DRW::UNKNOWNT),
|
|
||||||
handle(),
|
|
||||||
parentHandle(0),
|
|
||||||
name(),
|
|
||||||
flags(0),
|
|
||||||
extData(),
|
|
||||||
curr(nullptr)
|
|
||||||
{}
|
{}
|
||||||
|
|
||||||
virtual~DRW_TableEntry() {
|
virtual~DRW_TableEntry()
|
||||||
for (std::vector<DRW_Variant*>::iterator it=extData.begin(); it!=extData.end(); ++it)
|
{
|
||||||
|
for (std::vector<DRW_Variant*>::iterator it = extData.begin(); it != extData.end(); ++it)
|
||||||
|
{
|
||||||
delete *it;
|
delete *it;
|
||||||
|
}
|
||||||
|
|
||||||
extData.clear();
|
extData.clear();
|
||||||
}
|
}
|
||||||
|
@ -79,34 +74,45 @@ public:
|
||||||
name(e.name),
|
name(e.name),
|
||||||
flags(e.flags),
|
flags(e.flags),
|
||||||
extData(),
|
extData(),
|
||||||
curr(e.curr)
|
curr(nullptr)
|
||||||
{
|
{
|
||||||
for (std::vector<DRW_Variant*>::const_iterator it=e.extData.begin(); it!=e.extData.end(); ++it){
|
for (std::vector<DRW_Variant*>::const_iterator it = e.extData.begin(); it != e.extData.end(); ++it)
|
||||||
extData.push_back(new DRW_Variant(*(*it)));
|
{
|
||||||
|
DRW_Variant *src = *it;
|
||||||
|
DRW_Variant *dst = new DRW_Variant(*src);
|
||||||
|
extData.push_back(dst);
|
||||||
|
if (src == e.curr)
|
||||||
|
{
|
||||||
|
curr = dst;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
protected:
|
protected:
|
||||||
void parseCode(int code, dxfReader *reader);
|
void parseCode(int code, dxfReader *reader);
|
||||||
void reset(){
|
void reset()
|
||||||
|
{
|
||||||
flags = 0;
|
flags = 0;
|
||||||
for (std::vector<DRW_Variant*>::iterator it=extData.begin(); it!=extData.end(); ++it)
|
for (std::vector<DRW_Variant*>::iterator it = extData.begin(); it != extData.end(); ++it)
|
||||||
|
{
|
||||||
delete *it;
|
delete *it;
|
||||||
|
}
|
||||||
extData.clear();
|
extData.clear();
|
||||||
|
curr = nullptr;
|
||||||
}
|
}
|
||||||
|
|
||||||
public:
|
public:
|
||||||
enum DRW::TTYPE tType; /*!< enum: entity type, code 0 */
|
enum DRW::TTYPE tType {DRW::UNKNOWNT}; /*!< enum: entity type, code 0 */
|
||||||
duint32 handle; /*!< entity identifier, code 5 */
|
duint32 handle {0}; /*!< entity identifier, code 5 */
|
||||||
int parentHandle; /*!< Soft-pointer ID/handle to owner object, code 330 */
|
int parentHandle {0}; /*!< Soft-pointer ID/handle to owner object, code 330 */
|
||||||
UTF8STRING name; /*!< entry name, code 2 */
|
UTF8STRING name{}; /*!< entry name, code 2 */
|
||||||
int flags; /*!< Flags relevant to entry, code 70 */
|
int flags {0}; /*!< Flags relevant to entry, code 70 */
|
||||||
std::vector<DRW_Variant*> extData; /*!< FIFO list of extended data, codes 1000 to 1071*/
|
std::vector<DRW_Variant*> extData{}; /*!< FIFO list of extended data, codes 1000 to 1071*/
|
||||||
|
|
||||||
private:
|
private:
|
||||||
DRW_TableEntry &operator=(const DRW_TableEntry &) Q_DECL_EQ_DELETE;
|
DRW_TableEntry &operator=(const DRW_TableEntry &) Q_DECL_EQ_DELETE;
|
||||||
// cppcheck-suppress unsafeClassCanLeak
|
// cppcheck-suppress unsafeClassCanLeak
|
||||||
DRW_Variant* curr;
|
DRW_Variant* curr{nullptr};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user