Fix overflow vulnerability in Gerbview

Corrects an unguarded read that could lead to arbitrary code execution in specifically crafted gerber files. Fixes https://gitlab.com/kicad/code/kicad/issues/10700
4 years ago · 54b20cb049
5 changed files with 19 additions and 45 deletions
--- a/gerbview/excellon_image.h
+++ b/gerbview/excellon_image.h
@ -195,11 +195,6 @@ private:
     */
    bool readToolInformation( char*& aText );

-    int TCodeNumber( char*& aText )
-    {
-        return DCodeNumber( aText );
-    }
-
    /**
     * End a route command started by M15 ot G01, G02 or G03 command.
     */
--- a/gerbview/excellon_read_drill_file.cpp
+++ b/gerbview/excellon_read_drill_file.cpp
@ -903,7 +903,7 @@ bool EXCELLON_IMAGE::Select_Tool( char*& text )
    // in tool selection command, if the tool is not defined in list,
    // and the definition is embedded, it will be entered in list
    char * startline = text;    // the tool id starts here.
-    int tool_id = TCodeNumber( text );
+    int tool_id = CodeNumber( text );

    // T0 is legal, but is not a selection tool. it is a special command
    if( tool_id >= 0 )
--- a/gerbview/gerber_file_image.h
+++ b/gerbview/gerber_file_image.h
@ -232,9 +232,12 @@ public:
     */
    VECTOR2I ReadIJCoord( char*& Text );

-    // functions to read G commands or D commands:
-    int GCodeNumber( char*& Text );
-    int DCodeNumber( char*& Text );
+    /**
+     * Reads the next number and returns the value
+     * @param aText Pointer to the input string vector
+     * @return
+     */
+    int CodeNumber( char*& aText );

    /**
     * Return a pointer to the D_CODE within this GERBER for the given \a aDCODE.
--- a/gerbview/readgerb.cpp
+++ b/gerbview/readgerb.cpp
@ -284,13 +284,13 @@ bool GERBER_FILE_IMAGE::LoadGerberFile( const wxString& aFullFileName )
                break;

            case 'G':    /* Line type Gxx : command */
-                G_command = GCodeNumber( text );
+                G_command = CodeNumber( text );
                Execute_G_Command( text, G_command );
                break;

            case 'D':       /* Line type Dxx : Tool selection (xx > 0) or
                             * command if xx = 0..9 */
-                D_commande = DCodeNumber( text );
+                D_commande = CodeNumber( text );
                Execute_DCODE_Command( text, D_commande );
                break;

--- a/gerbview/rs274d.cpp
+++ b/gerbview/rs274d.cpp
@ -395,47 +395,23 @@ static void fillArcPOLY( GERBER_DRAW_ITEM* aGbrItem, const VECTOR2I& aStart, con
 }


-int GERBER_FILE_IMAGE::GCodeNumber( char*& Text )
+int GERBER_FILE_IMAGE::CodeNumber( char*& aText )
 {
-    int   ii = 0;
-    char* text;
-    char  line[1024];
+    int retval;
+    char* endptr;

-    if( Text == nullptr )
-        return 0;
-
-    Text++;
-    text = line;
-
-    while( IsNumber( *Text ) )
-    {
-        *(text++) = *(Text++);
-    }
+    errno = 0;

-    *text = 0;
-    ii    = atoi( line );
-    return ii;
-}
-
-
-int GERBER_FILE_IMAGE::DCodeNumber( char*& Text )
-{
-    int   ii = 0;
-    char* text;
-    char  line[1024];
+    retval = strtol( aText + 1, &endptr, 10 );

-    if( Text == nullptr )
+    if( endptr == aText || errno != 0 )
        return 0;

-    Text++;
-    text = line;
+    wxCHECK_MSG( retval < std::numeric_limits<int>::max(), 0, _( "Invalid Code Number" ) );

-    while( IsNumber( *Text ) )
-        *(text++) = *(Text++);
+    aText = endptr;

-    *text = 0;
-    ii    = atoi( line );
-    return ii;
+    return static_cast<int>( retval );
 }


@ -492,7 +468,7 @@ bool GERBER_FILE_IMAGE::Execute_G_Command( char*& text, int G_command )

    case GC_SELECT_TOOL:
    {
-        int D_commande = DCodeNumber( text );
+        int D_commande = CodeNumber( text );

        if( D_commande < FIRST_DCODE )
            return false;