diff options
author | Max Rees <maxcrees@me.com> | 2020-04-20 18:32:56 -0500 |
---|---|---|
committer | Max Rees <maxcrees@me.com> | 2020-04-21 12:52:00 -0500 |
commit | 7dfa609028c77ce914bec3ad48f58b34fc1129b6 (patch) | |
tree | 54f5bd81e0ad9d67720d150f275febc4a9260b57 /user/re2c/CVE-2020-11958.patch | |
parent | c6f2b6e5cd89d70a3838a5bfb8da888d5dd1ce1e (diff) | |
download | packages-7dfa609028c77ce914bec3ad48f58b34fc1129b6.tar.gz packages-7dfa609028c77ce914bec3ad48f58b34fc1129b6.tar.bz2 packages-7dfa609028c77ce914bec3ad48f58b34fc1129b6.tar.xz packages-7dfa609028c77ce914bec3ad48f58b34fc1129b6.zip |
user/re2c: patch CVE-2020-11958
https://www.openwall.com/lists/oss-security/2020/04/19/1
Diffstat (limited to 'user/re2c/CVE-2020-11958.patch')
-rw-r--r-- | user/re2c/CVE-2020-11958.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/user/re2c/CVE-2020-11958.patch b/user/re2c/CVE-2020-11958.patch new file mode 100644 index 000000000..b982b87e6 --- /dev/null +++ b/user/re2c/CVE-2020-11958.patch @@ -0,0 +1,37 @@ +From c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a Mon Sep 17 00:00:00 2001 +From: Ulya Trofimovich <skvadrik@gmail.com> +Date: Fri, 17 Apr 2020 22:47:14 +0100 +Subject: [PATCH] Fix crash in lexer refill (reported by Agostino Sarubbo). + +The crash happened in a rare case of a very long lexeme that doen't fit +into the buffer, forcing buffer reallocation. + +The crash was caused by an incorrect calculation of the shift offset +(it was smaller than necessary). As a consequence, the data from buffer +start and up to the beginning of the current lexeme was not discarded +(as it should have been), resulting in less free space for new data than +expected. +--- + src/parse/scanner.cc | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/parse/scanner.cc b/src/parse/scanner.cc +index 1d6e9efa..bd651314 100644 +--- a/src/parse/scanner.cc ++++ b/src/parse/scanner.cc +@@ -155,13 +155,14 @@ bool Scanner::fill(size_t need) + if (!buf) fatal("out of memory"); + + memmove(buf, tok, copy); +- shift_ptrs_and_fpos(buf - bot); ++ shift_ptrs_and_fpos(buf - tok); + delete [] bot; + bot = buf; + + free = BSIZE - copy; + } + ++ DASSERT(lim + free <= bot + BSIZE); + if (!read(free)) { + eof = lim; + memset(lim, 0, YYMAXFILL); |