https://github.com/liblouis/liblouis/issues/425
https://bugzilla.redhat.com/show_bug.cgi?id=1492701
https://access.redhat.com/errata/RHSA-2017:3111

From 2fe2b279994e3ed70bae461e284702cc1c7d4665 Mon Sep 17 00:00:00 2001
From: Raphael Sanchez Prudencio <rsprudencio@redhat.com>
Date: Mon, 18 Sep 2017 18:44:31 +0200
Subject: [PATCH 5/7] Fix multiple stack-based buffer overflows in findTable().

Fixes CVE-2014-8184.
---
 liblouis/compileTranslationTable.c | 35 +++++++++++------------------------
 1 file changed, 11 insertions(+), 24 deletions(-)

diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
index ec4963f0..25c0208f 100644
--- a/liblouis/compileTranslationTable.c
+++ b/liblouis/compileTranslationTable.c
@@ -4502,8 +4502,7 @@ findTable (const char *tableName)
   char trialPath[MAXSTRING];
   if (tableName == NULL || tableName[0] == 0)
     return NULL;
-  strcpy (trialPath, tablePath);
-  strcat (trialPath, tableName);
+  snprintf (trialPath, MAXSTRING-1, "%s%s", tablePath, tableName);
   if ((tableFile = fopen (trialPath, "rb")))
     return tableFile;
   pathEnd[0] = DIR_SEP;
@@ -4522,18 +4521,15 @@ findTable (const char *tableName)
 	    break;
 	if (k == listLength || k == 0)
 	  {			/* Only one file */
-	    strcpy (trialPath, pathList);
-	    strcat (trialPath, pathEnd);
-	    strcat (trialPath, tableName);
+	    snprintf (trialPath, MAXSTRING-1, "%s%s%s", pathList, pathEnd, tableName);
 	    if ((tableFile = fopen (trialPath, "rb")))
 	      break;
 	  }
 	else
 	  {			/* Compile a list of files */
-	    strncpy (trialPath, pathList, k);
-	    trialPath[k] = 0;
-	    strcat (trialPath, pathEnd);
-	    strcat (trialPath, tableName);
+	    char path[MAXSTRING];
+	    strncpy (path, pathList, k);
+	    snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, tableName);
 	    currentListPos = k + 1;
 	    if ((tableFile = fopen (trialPath, "rb")))
 	      break;
@@ -4542,11 +4538,8 @@ findTable (const char *tableName)
 		for (k = currentListPos; k < listLength; k++)
 		  if (pathList[k] == ',')
 		    break;
-		strncpy (trialPath,
-			 &pathList[currentListPos], k - currentListPos);
-		trialPath[k - currentListPos] = 0;
-		strcat (trialPath, pathEnd);
-		strcat (trialPath, tableName);
+		strncpy (path, &pathList[currentListPos], k - currentListPos);
+		snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, tableName);
 		if ((tableFile = fopen (trialPath, "rb")))
 		  currentListPos = k + 1;
 		break;
@@ -4564,26 +4557,20 @@ findTable (const char *tableName)
   pathList = lou_getDataPath ();
   if (pathList)
     {
-      strcpy (trialPath, pathList);
-      strcat (trialPath, pathEnd);
 #ifdef _WIN32
-      strcat (trialPath, "liblouis\\tables\\");
+      snprintf (trialPath, MAXSTRING-1, "%s%sliblouis\\tables\\%s", pathList, pathEnd, tableName);
 #else
-      strcat (trialPath, "liblouis/tables/");
+      snprintf (trialPath, MAXSTRING-1, "%s%sliblouis/tables/%s", pathList, pathEnd, tableName);
 #endif
-      strcat (trialPath, tableName);
       if ((tableFile = fopen (trialPath, "rb")))
 	return tableFile;
     }
   /* See if table on installed or program path. */
 #ifdef _WIN32
-  strcpy (trialPath, lou_getProgramPath ());
-  strcat (trialPath, "\\share\\liblouss\\tables\\");
+  snprintf (trialPath, MAXSTRING-1, "%s\\share\\liblouss\\tables\\%s", lou_getProgramPath(), tableName);
 #else
-  strcpy (trialPath, TABLESDIR);
-  strcat (trialPath, pathEnd);
+  snprintf (trialPath, MAXSTRING-1, "%s%s%s", TABLESDIR, pathEnd, tableName);
 #endif
-  strcat (trialPath, tableName);
   if ((tableFile = fopen (trialPath, "rb")))
     return tableFile;
   return NULL;
-- 
2.13.5

