diff options
author | A. Wilcox <awilcox@wilcox-tech.com> | 2020-05-05 03:31:05 +0000 |
---|---|---|
committer | A. Wilcox <awilcox@wilcox-tech.com> | 2020-05-05 03:31:05 +0000 |
commit | 5fb8228fc2a207f2ff6ae3ad98328a7664da0480 (patch) | |
tree | 18465a76a63599a5c9edf78383aed30cf8c5f7c4 /user/re2c/CVE-2020-11958.patch | |
parent | 9680fd28fc8dd8ff8abcb504a0f820ad655d5dfb (diff) | |
parent | 5df19234b438dd8d1d876033a8987e563c033c1a (diff) | |
download | packages-5fb8228fc2a207f2ff6ae3ad98328a7664da0480.tar.gz packages-5fb8228fc2a207f2ff6ae3ad98328a7664da0480.tar.bz2 packages-5fb8228fc2a207f2ff6ae3ad98328a7664da0480.tar.xz packages-5fb8228fc2a207f2ff6ae3ad98328a7664da0480.zip |
Merge branch 'sec/2020.04.20' into 'master'
Security updates for 2020.04.20
See merge request adelie/packages!441
Diffstat (limited to 'user/re2c/CVE-2020-11958.patch')
-rw-r--r-- | user/re2c/CVE-2020-11958.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/user/re2c/CVE-2020-11958.patch b/user/re2c/CVE-2020-11958.patch new file mode 100644 index 000000000..b982b87e6 --- /dev/null +++ b/user/re2c/CVE-2020-11958.patch @@ -0,0 +1,37 @@ +From c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a Mon Sep 17 00:00:00 2001 +From: Ulya Trofimovich <skvadrik@gmail.com> +Date: Fri, 17 Apr 2020 22:47:14 +0100 +Subject: [PATCH] Fix crash in lexer refill (reported by Agostino Sarubbo). + +The crash happened in a rare case of a very long lexeme that doen't fit +into the buffer, forcing buffer reallocation. + +The crash was caused by an incorrect calculation of the shift offset +(it was smaller than necessary). As a consequence, the data from buffer +start and up to the beginning of the current lexeme was not discarded +(as it should have been), resulting in less free space for new data than +expected. +--- + src/parse/scanner.cc | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/parse/scanner.cc b/src/parse/scanner.cc +index 1d6e9efa..bd651314 100644 +--- a/src/parse/scanner.cc ++++ b/src/parse/scanner.cc +@@ -155,13 +155,14 @@ bool Scanner::fill(size_t need) + if (!buf) fatal("out of memory"); + + memmove(buf, tok, copy); +- shift_ptrs_and_fpos(buf - bot); ++ shift_ptrs_and_fpos(buf - tok); + delete [] bot; + bot = buf; + + free = BSIZE - copy; + } + ++ DASSERT(lim + free <= bot + BSIZE); + if (!read(free)) { + eof = lim; + memset(lim, 0, YYMAXFILL); |