From: Ben Pfaff <blp@cs.stanford.edu>
Date: Sun, 27 Aug 2017 19:30:30 +0000 (-0700)
Subject: sys-file-reader: Fully verify multiple response set names.
X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?p=pspp;a=commitdiff_plain;h=f5e03ec7b8a217ef53ce0c77374cddc0dcd79fae

sys-file-reader: Fully verify multiple response set names.

Until now, the code only checked the first character of the name, which
made it possible to assert-fail when the mrset was actually added.

CVE-2017-12959.
See also https://bugzilla.redhat.com/show_bug.cgi?id=1482432.
See also http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12959.
See also http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12959.
Found by team OWL337, using the collAFL fuzzer.
---

diff --git a/NEWS b/NEWS
index 358960403f..8ef4520092 100644
--- a/NEWS
+++ b/NEWS
@@ -6,7 +6,7 @@ Please send PSPP bug reports to bug-gnu-pspp@gnu.org.
 
 Changes since 1.0.0:
 
- * Bug fixes, including a fix for CVE-2017-12958.
+ * Bug fixes, including fixes for CVE-2017-12958 and CVE-2017-12959.
 
 Changes from 0.11.0 to 1.0.0:
 
diff --git a/src/data/sys-file-reader.c b/src/data/sys-file-reader.c
index 2ad146e880..dbc61345a8 100644
--- a/src/data/sys-file-reader.c
+++ b/src/data/sys-file-reader.c
@@ -1831,10 +1831,9 @@ decode_mrsets (struct sfm_reader *r, struct dictionary *dict)
       size_t i;
 
       name = recode_string ("UTF-8", r->encoding, s->name, -1);
-      if (name[0] != '$')
+      if (!mrset_is_valid_name (name, dict_get_encoding (dict), false))
         {
-          sys_warn (r, -1, _("Multiple response set name `%s' does not begin "
-                             "with `$'."),
+          sys_warn (r, -1, _("Invalid multiple response set name `%s'."),
                     name);
           free (name);
           continue;
diff --git a/tests/data/sys-file-reader.at b/tests/data/sys-file-reader.at
index be4782284c..8ca6d74494 100644
--- a/tests/data/sys-file-reader.at
+++ b/tests/data/sys-file-reader.at
@@ -2539,9 +2539,9 @@ for variant in be le; do
 MRSETS /DISPLAY NAME=ALL.
 ])
   AT_CHECK([pspp -O format=csv sys-file.sps], [0], [dnl
-warning: `sys-file.sav': Multiple response set name `b' does not begin with `$'.
+warning: `sys-file.sav': Invalid multiple response set name `b'.
 
-warning: `sys-file.sav': Multiple response set name `e' does not begin with `$'.
+warning: `sys-file.sav': Invalid multiple response set name `e'.
 
 Table: Multiple Response Sets
 Name,Variables,Details