From 0e059cdf5fd86297546c63fa8607c24059118832 Mon Sep 17 00:00:00 2001 From: "schwarze@openbsd.org" Date: Wed, 25 May 2016 23:48:45 +0000 Subject: upstream commit To prevent screwing up terminal settings when printing to the terminal, for ASCII and UTF-8, escape bytes not forming characters and bytes forming non-printable characters with vis(3) VIS_OCTAL. For other character sets, abort printing of the current string in these cases. In particular, * let scp(1) respect the local user's LC_CTYPE locale(1); * sanitize data received from the remote host; * sanitize filenames, usernames, and similar data even locally; * take character display widths into account for the progressmeter. This is believed to be sufficient to keep the local terminal safe on OpenBSD, but bad things can still happen on other systems with state-dependent locales because many places in the code print unencoded ASCII characters into the output stream. Using feedback from djm@ and martijn@, various aspects discussed with many others. deraadt@ says it should go in now, i probably already hesitated too long Upstream-ID: e66afbc94ee396ddcaffd433b9a3b80f387647e0 --- utf8.c | 258 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 258 insertions(+) create mode 100644 utf8.c (limited to 'utf8.c') diff --git a/utf8.c b/utf8.c new file mode 100644 index 000000000..d6089bdec --- /dev/null +++ b/utf8.c @@ -0,0 +1,258 @@ +/* $OpenBSD: utf8.c,v 1.1 2016/05/25 23:48:45 schwarze Exp $ */ +/* + * Copyright (c) 2016 Ingo Schwarze + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * Utility functions for multibyte-character handling, + * in particular to sanitize untrusted strings for terminal output. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "utf8.h" + +static int dangerous_locale(void); +static int vasnmprintf(char **, size_t, int *, const char *, va_list); + + +/* + * For US-ASCII and UTF-8 encodings, we can safely recover from + * encoding errors and from non-printable characters. For any + * other encodings, err to the side of caution and abort parsing: + * For state-dependent encodings, recovery is impossible. + * For arbitrary encodings, replacement of non-printable + * characters would be non-trivial and too fragile. + */ + +static int +dangerous_locale(void) { + char *loc; + + loc = nl_langinfo(CODESET); + return strcmp(loc, "US-ASCII") && strcmp(loc, "UTF-8"); +} + +/* + * The following two functions limit the number of bytes written, + * including the terminating '\0', to sz. Unless wp is NULL, + * they limit the number of display columns occupied to *wp. + * Whichever is reached first terminates the output string. + * To stay close to the standard interfaces, they return the number of + * non-NUL bytes that would have been written if both were unlimited. + * If wp is NULL, newline, carriage return, and tab are allowed; + * otherwise, the actual number of columns occupied by what was + * written is returned in *wp. + */ + +static int +vasnmprintf(char **str, size_t maxsz, int *wp, const char *fmt, va_list ap) +{ + char *src; /* Source string returned from vasprintf. */ + char *sp; /* Pointer into src. */ + char *dst; /* Destination string to be returned. */ + char *dp; /* Pointer into dst. */ + char *tp; /* Temporary pointer for dst. */ + size_t sz; /* Number of bytes allocated for dst. */ + size_t tsz; /* Temporary size while extending dst. */ + wchar_t wc; /* Wide character at sp. */ + int len; /* Number of bytes in the character at sp. */ + int ret; /* Number of bytes needed to format src. */ + int width; /* Display width of the character wc. */ + int total_width, max_width, print; + + src = dst = NULL; + if (vasprintf(&src, fmt, ap) <= 0) + goto fail; + + sz = strlen(src); + if ((dst = malloc(sz)) == NULL) + goto fail; + + if (maxsz > INT_MAX) + maxsz = INT_MAX; + + sp = src; + dp = dst; + ret = 0; + print = 1; + total_width = 0; + max_width = wp == NULL ? INT_MAX : *wp; + while (*sp != '\0') { + if ((len = mbtowc(&wc, sp, MB_CUR_MAX)) == -1) { + (void)mbtowc(NULL, NULL, MB_CUR_MAX); + if (dangerous_locale()) { + ret = -1; + break; + } + len = 1; + width = -1; + } else if (wp == NULL && + (wc == L'\n' || wc == L'\r' || wc == L'\t')) { + /* + * Don't use width uninitialized; the actual + * value doesn't matter because total_width + * is only returned for wp != NULL. + */ + width = 0; + } else if ((width = wcwidth(wc)) == -1 && + dangerous_locale()) { + ret = -1; + break; + } + + /* Valid, printable character. */ + + if (width >= 0) { + if (print && (dp - dst >= (int)maxsz - len || + total_width > max_width - width)) + print = 0; + if (print) { + total_width += width; + memcpy(dp, sp, len); + dp += len; + } + sp += len; + if (ret >= 0) + ret += len; + continue; + } + + /* Escaping required. */ + + while (len > 0) { + if (print && (dp - dst >= (int)maxsz - 4 || + total_width > max_width - 4)) + print = 0; + if (print) { + if (dp + 4 >= dst + sz) { + tsz = sz + 128; + if (tsz > maxsz) + tsz = maxsz; + tp = realloc(dst, tsz); + if (tp == NULL) { + ret = -1; + break; + } + dp = tp + (dp - dst); + dst = tp; + sz = tsz; + } + tp = vis(dp, *sp, VIS_OCTAL | VIS_ALL, 0); + width = tp - dp; + total_width += width; + dp = tp; + } else + width = 4; + len--; + sp++; + if (ret >= 0) + ret += width; + } + if (len > 0) + break; + } + free(src); + *dp = '\0'; + *str = dst; + if (wp != NULL) + *wp = total_width; + + /* + * If the string was truncated by the width limit but + * would have fit into the size limit, the only sane way + * to report the problem is using the return value, such + * that the usual idiom "if (ret < 0 || ret >= sz) error" + * works as expected. + */ + + if (ret < (int)maxsz && !print) + ret = -1; + return ret; + +fail: + free(src); + free(dst); + *str = NULL; + if (wp != NULL) + *wp = 0; + return -1; +} + +int +snmprintf(char *str, size_t sz, int *wp, const char *fmt, ...) +{ + va_list ap; + char *cp; + int ret; + + va_start(ap, fmt); + ret = vasnmprintf(&cp, sz, wp, fmt, ap); + va_end(ap); + (void)strlcpy(str, cp, sz); + free(cp); + return ret; +} + +/* + * To stay close to the standard interfaces, the following functions + * return the number of non-NUL bytes written. + */ + +int +vfmprintf(FILE *stream, const char *fmt, va_list ap) +{ + char *str; + int ret; + + if ((ret = vasnmprintf(&str, INT_MAX, NULL, fmt, ap)) < 0) + return -1; + if (fputs(str, stream) == EOF) + ret = -1; + free(str); + return ret; +} + +int +fmprintf(FILE *stream, const char *fmt, ...) +{ + va_list ap; + int ret; + + va_start(ap, fmt); + ret = vfmprintf(stream, fmt, ap); + va_end(ap); + return ret; +} + +int +mprintf(const char *fmt, ...) +{ + va_list ap; + int ret; + + va_start(ap, fmt); + ret = vfmprintf(stdout, fmt, ap); + va_end(ap); + return ret; +} -- cgit v1.2.3 From ac284a355f8065eaef2a16f446f3c44cdd17371d Mon Sep 17 00:00:00 2001 From: "schwarze@openbsd.org" Date: Mon, 30 May 2016 12:05:56 +0000 Subject: upstream commit Fix two rare edge cases: 1. If vasprintf() returns < 0, do not access a NULL pointer in snmprintf(), and do not free() the pointer returned from vasprintf() because on some systems other than OpenBSD, it might be a bogus pointer. 2. If vasprintf() returns == 0, return 0 and "" rather than -1 and NULL. Besides, free(dst) is pointless after failure (not a bug). One half OK martijn@, the other half OK deraadt@; committing quickly before people get hurt. Upstream-ID: b7bcd2e82fc168a8eff94e41f5db336ed986fed0 --- utf8.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) (limited to 'utf8.c') diff --git a/utf8.c b/utf8.c index d6089bdec..caf789cee 100644 --- a/utf8.c +++ b/utf8.c @@ -1,4 +1,4 @@ -/* $OpenBSD: utf8.c,v 1.1 2016/05/25 23:48:45 schwarze Exp $ */ +/* $OpenBSD: utf8.c,v 1.2 2016/05/30 12:05:56 schwarze Exp $ */ /* * Copyright (c) 2016 Ingo Schwarze * @@ -81,13 +81,15 @@ vasnmprintf(char **str, size_t maxsz, int *wp, const char *fmt, va_list ap) int width; /* Display width of the character wc. */ int total_width, max_width, print; - src = dst = NULL; - if (vasprintf(&src, fmt, ap) <= 0) + src = NULL; + if ((ret = vasprintf(&src, fmt, ap)) <= 0) goto fail; sz = strlen(src); - if ((dst = malloc(sz)) == NULL) + if ((dst = malloc(sz)) == NULL) { + free(src); goto fail; + } if (maxsz > INT_MAX) maxsz = INT_MAX; @@ -191,12 +193,15 @@ vasnmprintf(char **str, size_t maxsz, int *wp, const char *fmt, va_list ap) return ret; fail: - free(src); - free(dst); - *str = NULL; if (wp != NULL) *wp = 0; - return -1; + if (ret == 0) { + *str = src; + return 0; + } else { + *str = NULL; + return -1; + } } int @@ -209,8 +214,11 @@ snmprintf(char *str, size_t sz, int *wp, const char *fmt, ...) va_start(ap, fmt); ret = vasnmprintf(&cp, sz, wp, fmt, ap); va_end(ap); - (void)strlcpy(str, cp, sz); - free(cp); + if (cp != NULL) { + (void)strlcpy(str, cp, sz); + free(cp); + } else + *str = '\0'; return ret; } -- cgit v1.2.3 From cd9e1eabeb4137182200035ab6fa4522f8d24044 Mon Sep 17 00:00:00 2001 From: "schwarze@openbsd.org" Date: Mon, 30 May 2016 12:57:21 +0000 Subject: upstream commit Even when only writing an unescaped character, the dst buffer may need to grow, or it would be overrun; issue found by tb@ with malloc.conf(5) 'C'. While here, reserve an additional byte for the terminating NUL up front such that we don't have to realloc() later just for that. OK tb@ Upstream-ID: 30ebcc0c097c4571b16f0a78b44969f170db0cff --- utf8.c | 46 +++++++++++++++++++++++++++++++--------------- 1 file changed, 31 insertions(+), 15 deletions(-) (limited to 'utf8.c') diff --git a/utf8.c b/utf8.c index caf789cee..18ee53858 100644 --- a/utf8.c +++ b/utf8.c @@ -1,4 +1,4 @@ -/* $OpenBSD: utf8.c,v 1.2 2016/05/30 12:05:56 schwarze Exp $ */ +/* $OpenBSD: utf8.c,v 1.3 2016/05/30 12:57:21 schwarze Exp $ */ /* * Copyright (c) 2016 Ingo Schwarze * @@ -33,6 +33,7 @@ #include "utf8.h" static int dangerous_locale(void); +static int grow_dst(char **, size_t *, size_t, char **, size_t); static int vasnmprintf(char **, size_t, int *, const char *, va_list); @@ -53,6 +54,25 @@ dangerous_locale(void) { return strcmp(loc, "US-ASCII") && strcmp(loc, "UTF-8"); } +static int +grow_dst(char **dst, size_t *sz, size_t maxsz, char **dp, size_t need) +{ + char *tp; + size_t tsz; + + if (*dp + need < *dst + *sz) + return 0; + tsz = *sz + 128; + if (tsz > maxsz) + tsz = maxsz; + if ((tp = realloc(*dst, tsz)) == NULL) + return -1; + *dp = tp + (*dp - *dst); + *dst = tp; + *sz = tsz; + return 0; +} + /* * The following two functions limit the number of bytes written, * including the terminating '\0', to sz. Unless wp is NULL, @@ -74,7 +94,6 @@ vasnmprintf(char **str, size_t maxsz, int *wp, const char *fmt, va_list ap) char *dp; /* Pointer into dst. */ char *tp; /* Temporary pointer for dst. */ size_t sz; /* Number of bytes allocated for dst. */ - size_t tsz; /* Temporary size while extending dst. */ wchar_t wc; /* Wide character at sp. */ int len; /* Number of bytes in the character at sp. */ int ret; /* Number of bytes needed to format src. */ @@ -85,7 +104,7 @@ vasnmprintf(char **str, size_t maxsz, int *wp, const char *fmt, va_list ap) if ((ret = vasprintf(&src, fmt, ap)) <= 0) goto fail; - sz = strlen(src); + sz = strlen(src) + 1; if ((dst = malloc(sz)) == NULL) { free(src); goto fail; @@ -130,6 +149,11 @@ vasnmprintf(char **str, size_t maxsz, int *wp, const char *fmt, va_list ap) total_width > max_width - width)) print = 0; if (print) { + if (grow_dst(&dst, &sz, maxsz, + &dp, len) == -1) { + ret = -1; + break; + } total_width += width; memcpy(dp, sp, len); dp += len; @@ -147,18 +171,10 @@ vasnmprintf(char **str, size_t maxsz, int *wp, const char *fmt, va_list ap) total_width > max_width - 4)) print = 0; if (print) { - if (dp + 4 >= dst + sz) { - tsz = sz + 128; - if (tsz > maxsz) - tsz = maxsz; - tp = realloc(dst, tsz); - if (tp == NULL) { - ret = -1; - break; - } - dp = tp + (dp - dst); - dst = tp; - sz = tsz; + if (grow_dst(&dst, &sz, maxsz, + &dp, 4) == -1) { + ret = -1; + break; } tp = vis(dp, *sp, VIS_OCTAL | VIS_ALL, 0); width = tp - dp; -- cgit v1.2.3 From df820722e40309c9b3f360ea4ed47a584ed74333 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 6 Jun 2016 11:36:13 +1000 Subject: Add compat bits to utf8.c. --- utf8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'utf8.c') diff --git a/utf8.c b/utf8.c index 18ee53858..6445b3766 100644 --- a/utf8.c +++ b/utf8.c @@ -20,6 +20,8 @@ * in particular to sanitize untrusted strings for terminal output. */ +#include "includes.h" + #include #include #include @@ -27,7 +29,9 @@ #include #include #include -#include +#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) +# include +#endif #include #include "utf8.h" -- cgit v1.2.3 From f3f2cc8386868f51440c45210098f65f9787449a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 11 Jul 2016 17:23:38 +1000 Subject: Check for wchar.h and langinfo.h Wrap includes in the appropriate #ifdefs. --- configure.ac | 2 ++ utf8.c | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) (limited to 'utf8.c') diff --git a/configure.ac b/configure.ac index 9da2b0364..2bb5a63c8 100644 --- a/configure.ac +++ b/configure.ac @@ -381,6 +381,7 @@ AC_CHECK_HEADERS([ \ ia.h \ iaf.h \ inttypes.h \ + langinfo.h \ limits.h \ locale.h \ login.h \ @@ -433,6 +434,7 @@ AC_CHECK_HEADERS([ \ utmp.h \ utmpx.h \ vis.h \ + wchar.h \ ]) # lastlog.h requires sys/time.h to be included first on Solaris diff --git a/utf8.c b/utf8.c index 6445b3766..f563d3738 100644 --- a/utf8.c +++ b/utf8.c @@ -23,7 +23,9 @@ #include "includes.h" #include -#include +#ifdef HAVE_LANGINFO_H +# include +#endif #include #include #include @@ -32,7 +34,9 @@ #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) # include #endif -#include +#ifdef HAVE_WCHAR_H +# include +#endif #include "utf8.h" -- cgit v1.2.3