Headline

CVE-2022-29776: Fix 25 errors · ONLYOFFICE/core@88cf60a

Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp.

2 years ago

CVE

Open in Source

#c++

@@ -159,60 +159,90 @@ namespace NSFile else if (0x00 == (byteMain & 0x20)) { // 2 byte int val = (int)(((byteMain & 0x1F) << 6) | (pBuffer[lIndex + 1] & 0x3F)); int val = 0; if ((lIndex + 1) < lCount) { val = (int)(((byteMain & 0x1F) << 6) | (pBuffer[lIndex + 1] & 0x3F)); }
pUnicodeString[lIndexUnicode++] = (WCHAR)(val); lIndex += 2; } else if (0x00 == (byteMain & 0x10)) { // 3 byte int val = (int)(((byteMain & 0x0F) << 12) | ((pBuffer[lIndex + 1] & 0x3F) << 6) | (pBuffer[lIndex + 2] & 0x3F)); int val = 0; if ((lIndex + 2) < lCount) { val = (int)(((byteMain & 0x0F) << 12) | ((pBuffer[lIndex + 1] & 0x3F) << 6) | (pBuffer[lIndex + 2] & 0x3F)); }
pUnicodeString[lIndexUnicode++] = (WCHAR)(val); lIndex += 3; } else if (0x00 == (byteMain & 0x0F)) { // 4 byte int val = (int)(((byteMain & 0x07) << 18) | ((pBuffer[lIndex + 1] & 0x3F) << 12) | ((pBuffer[lIndex + 2] & 0x3F) << 6) | (pBuffer[lIndex + 3] & 0x3F)); int val = 0; if ((lIndex + 3) < lCount) { val = (int)(((byteMain & 0x07) << 18) | ((pBuffer[lIndex + 1] & 0x3F) << 12) | ((pBuffer[lIndex + 2] & 0x3F) << 6) | (pBuffer[lIndex + 3] & 0x3F)); }
pUnicodeString[lIndexUnicode++] = (WCHAR)(val); lIndex += 4; } else if (0x00 == (byteMain & 0x08)) { // 4 byte int val = (int)(((byteMain & 0x07) << 18) | ((pBuffer[lIndex + 1] & 0x3F) << 12) | ((pBuffer[lIndex + 2] & 0x3F) << 6) | (pBuffer[lIndex + 3] & 0x3F)); int val = 0; if ((lIndex + 3) < lCount) { val = (int)(((byteMain & 0x07) << 18) | ((pBuffer[lIndex + 1] & 0x3F) << 12) | ((pBuffer[lIndex + 2] & 0x3F) << 6) | (pBuffer[lIndex + 3] & 0x3F)); }
pUnicodeString[lIndexUnicode++] = (WCHAR)(val); lIndex += 4; } else if (0x00 == (byteMain & 0x04)) { // 5 byte int val = (int)(((byteMain & 0x03) << 24) | ((pBuffer[lIndex + 1] & 0x3F) << 18) | ((pBuffer[lIndex + 2] & 0x3F) << 12) | ((pBuffer[lIndex + 3] & 0x3F) << 6) | (pBuffer[lIndex + 4] & 0x3F)); int val = 0; if ((lIndex + 4) < lCount) { val = (int)(((byteMain & 0x03) << 24) | ((pBuffer[lIndex + 1] & 0x3F) << 18) | ((pBuffer[lIndex + 2] & 0x3F) << 12) | ((pBuffer[lIndex + 3] & 0x3F) << 6) | (pBuffer[lIndex + 4] & 0x3F)); }
pUnicodeString[lIndexUnicode++] = (WCHAR)(val); lIndex += 5; } else { // 6 byte int val = (int)(((byteMain & 0x01) << 30) | ((pBuffer[lIndex + 1] & 0x3F) << 24) | ((pBuffer[lIndex + 2] & 0x3F) << 18) | ((pBuffer[lIndex + 3] & 0x3F) << 12) | ((pBuffer[lIndex + 4] & 0x3F) << 6) | (pBuffer[lIndex + 5] & 0x3F)); int val = 0; if ((lIndex + 5) < lCount) { val = (int)(((byteMain & 0x01) << 30) | ((pBuffer[lIndex + 1] & 0x3F) << 24) | ((pBuffer[lIndex + 2] & 0x3F) << 18) | ((pBuffer[lIndex + 3] & 0x3F) << 12) | ((pBuffer[lIndex + 4] & 0x3F) << 6) | (pBuffer[lIndex + 5] & 0x3F)); }
pUnicodeString[lIndexUnicode++] = (WCHAR)(val); lIndex += 5; } @@ -242,64 +272,89 @@ namespace NSFile else if (0x00 == (byteMain & 0x20)) { // 2 byte int val = (int)(((byteMain & 0x1F) << 6) | (pBuffer[lIndex + 1] & 0x3F)); int val = 0; if ((lIndex + 1) < lCount) { val = (int)(((byteMain & 0x1F) << 6) | (pBuffer[lIndex + 1] & 0x3F)); }
*pUnicodeString++ = (WCHAR)(val); lIndex += 2; } else if (0x00 == (byteMain & 0x10)) { // 3 byte int val = (int)(((byteMain & 0x0F) << 12) | ((pBuffer[lIndex + 1] & 0x3F) << 6) | (pBuffer[lIndex + 2] & 0x3F)); int val = 0; if ((lIndex + 2) < lCount) { val = (int)(((byteMain & 0x0F) << 12) | ((pBuffer[lIndex + 1] & 0x3F) << 6) | (pBuffer[lIndex + 2] & 0x3F)); }
WriteUtf16_WCHAR(val, pUnicodeString); lIndex += 3; } else if (0x00 == (byteMain & 0x0F)) { // 4 byte int val = (int)(((byteMain & 0x07) << 18) | ((pBuffer[lIndex + 1] & 0x3F) << 12) | ((pBuffer[lIndex + 2] & 0x3F) << 6) | (pBuffer[lIndex + 3] & 0x3F)); int val = 0; if ((lIndex + 3) < lCount) { val = (int)(((byteMain & 0x07) << 18) | ((pBuffer[lIndex + 1] & 0x3F) << 12) | ((pBuffer[lIndex + 2] & 0x3F) << 6) | (pBuffer[lIndex + 3] & 0x3F)); }
WriteUtf16_WCHAR(val, pUnicodeString); lIndex += 4; } else if (0x00 == (byteMain & 0x08)) { // 4 byte int val = (int)(((byteMain & 0x07) << 18) | ((pBuffer[lIndex + 1] & 0x3F) << 12) | ((pBuffer[lIndex + 2] & 0x3F) << 6) | (pBuffer[lIndex + 3] & 0x3F)); int val = 0; if ((lIndex + 3) < lCount) { val = (int)(((byteMain & 0x07) << 18) | ((pBuffer[lIndex + 1] & 0x3F) << 12) | ((pBuffer[lIndex + 2] & 0x3F) << 6) | (pBuffer[lIndex + 3] & 0x3F)); }
WriteUtf16_WCHAR(val, pUnicodeString); lIndex += 4; } else if (0x00 == (byteMain & 0x04)) { // 5 byte int val = (int)(((byteMain & 0x03) << 24) | ((pBuffer[lIndex + 1] & 0x3F) << 18) | ((pBuffer[lIndex + 2] & 0x3F) << 12) | ((pBuffer[lIndex + 3] & 0x3F) << 6) | (pBuffer[lIndex + 4] & 0x3F)); int val = 0; if ((lIndex + 4) < lCount) { val = (int)(((byteMain & 0x03) << 24) | ((pBuffer[lIndex + 1] & 0x3F) << 18) | ((pBuffer[lIndex + 2] & 0x3F) << 12) | ((pBuffer[lIndex + 3] & 0x3F) << 6) | (pBuffer[lIndex + 4] & 0x3F)); }
WriteUtf16_WCHAR(val, pUnicodeString); lIndex += 5; } else { // 6 byte int val = (int)(((byteMain & 0x01) << 30) | ((pBuffer[lIndex + 1] & 0x3F) << 24) | ((pBuffer[lIndex + 2] & 0x3F) << 18) | ((pBuffer[lIndex + 3] & 0x3F) << 12) | ((pBuffer[lIndex + 4] & 0x3F) << 6) | (pBuffer[lIndex + 5] & 0x3F)); int val = 0; if ((lIndex + 5) < lCount) { val = (int)(((byteMain & 0x01) << 30) | ((pBuffer[lIndex + 1] & 0x3F) << 24) | ((pBuffer[lIndex + 2] & 0x3F) << 18) | ((pBuffer[lIndex + 3] & 0x3F) << 12) | ((pBuffer[lIndex + 4] & 0x3F) << 6) | (pBuffer[lIndex + 5] & 0x3F)); }
WriteUtf16_WCHAR(val, pUnicodeString); lIndex += 5;

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

1 year ago

1 year ago

1 year ago

1 year ago

1 year ago