EANX_CC/UPCA_CC: fix crash in dbar_date() on not checking length

in `cc_binary_string()`, ticket #300 (#5 & #6), props Andre Maute; add other checks for length on processing encoding mode PDF417: fix out-of-bounds crash on overrunning string and codeword buffers by tripling size (convert to `short` instead of `int` to guard against too much stack), ticket #300 (#7 & #10), props Andre Maute; (TODO: add some checks instead to bail out earlier?) CODEONE: fix looping on latch crash in `c1_encode()`, ticket #300 (#8), props Andre Maute CODABLOCKF: fix crash on negative overflow of `columns` (`option_2`), ticket #300 (#9), props Andre Maute library: add `debug_print_escape()` helper for ZINT_DEBUG_PRINT
2025-05-23 11:36:54 -04:00 · 2023-11-27 12:55:53 +00:00 · 2023-11-27 12:55:53 +00:00 · a14fe77aa0
commit a14fe77aa0
parent 77c1ef1139
17 changed files with 561 additions and 193 deletions
--- a/backend/rss.c
+++ b/backend/rss.c
@ -810,10 +810,15 @@ INTERNAL int dbar_ltd(struct zint_symbol *symbol, unsigned char source[], int le
 }

 /* Check and convert date to DataBar date value */
-INTERNAL int dbar_date(const unsigned char source[], const int src_posn) {
-    int yy = to_int(source + src_posn, 2);
-    int mm = to_int(source + src_posn + 2, 2);
-    int dd = to_int(source + src_posn + 4, 2);
+INTERNAL int dbar_date(const unsigned char source[], const int length, const int src_posn) {
+    int yy, mm, dd;
+
+    if (src_posn + 4 + 2 > length) {
+        return -1;
+    }
+    yy = to_int(source + src_posn, 2);
+    mm = to_int(source + src_posn + 2, 2);
+    dd = to_int(source + src_posn + 4, 2);

    /* Month can't be zero but day can (means last day of month,
       GS1 General Specifications Sections 3.4.2 to 3.4.7) */
@ -875,7 +880,7 @@ static int dbar_exp_binary_string(struct zint_symbol *symbol, const unsigned cha

                } else if ((length == 34) && (source[26] == '1')
                            && (source[27] == '1' || source[27] == '3' || source[27] == '5' || source[27] == '7')
-                            && dbar_date(source, 28) >= 0) {
+                            && dbar_date(source, length, 28) >= 0) {

                    /* (01), (310x) and (11) - metric weight and production date */
                    /* (01), (310x) and (13) - metric weight and packaging date */
@ -906,7 +911,7 @@ static int dbar_exp_binary_string(struct zint_symbol *symbol, const unsigned cha

                } else if ((length == 34) && (source[26] == '1')
                            && (source[27] == '1' || source[27] == '3' || source[27] == '5' || source[27] == '7')
-                            && dbar_date(source, 28) >= 0) {
+                            && dbar_date(source, length, 28) >= 0) {

                    /* (01), (320x) and (11) - English weight and production date */
                    /* (01), (320x) and (13) - English weight and packaging date */
@ -1031,7 +1036,7 @@ static int dbar_exp_binary_string(struct zint_symbol *symbol, const unsigned cha

        if (length == 34) {
            /* Date information is included */
-            group_val = dbar_date(source, 28);
+            group_val = dbar_date(source, length, 28);
        } else {
            group_val = 38400;
        }