summaryrefslogtreecommitdiff
path: root/user
diff options
context:
space:
mode:
Diffstat (limited to 'user')
-rw-r--r--user/re2c/APKBUILD13
-rw-r--r--user/re2c/CVE-2020-11958.patch37
2 files changed, 47 insertions, 3 deletions
diff --git a/user/re2c/APKBUILD b/user/re2c/APKBUILD
index d039a5baf..aad7b839e 100644
--- a/user/re2c/APKBUILD
+++ b/user/re2c/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer:
pkgname=re2c
pkgver=1.3
-pkgrel=0
+pkgrel=1
pkgdesc="Fast lexer generator for C and C++"
url="http://re2c.org/"
arch="all"
@@ -11,7 +11,13 @@ depends=""
checkdepends="bash"
makedepends=""
subpackages="$pkgname-doc"
-source="https://github.com/skvadrik/re2c/releases/download/$pkgver/$pkgname-$pkgver.tar.xz"
+source="https://github.com/skvadrik/re2c/releases/download/$pkgver/$pkgname-$pkgver.tar.xz
+ CVE-2020-11958.patch
+ "
+
+# secfixes:
+# 1.3-r1:
+# - CVE-2020-11958
build() {
./configure \
@@ -32,4 +38,5 @@ package() {
make DESTDIR="$pkgdir" install
}
-sha512sums="c7084ab2399fb6b96cef74c1393715d90830f43b82b96af46feb71ef008c0215381c3dbea0b003ff810d869db6021e28001b9d588ad55c616642244b2da09c0e re2c-1.3.tar.xz"
+sha512sums="c7084ab2399fb6b96cef74c1393715d90830f43b82b96af46feb71ef008c0215381c3dbea0b003ff810d869db6021e28001b9d588ad55c616642244b2da09c0e re2c-1.3.tar.xz
+f4376b8e0724d500f665fa60dfd6fb35685a281af50c500d2ff90d781a829fb78f21e8c93c5745a4519acd55a62ec48a570dbfacf0a9ee977502e06f3e2e474a CVE-2020-11958.patch"
diff --git a/user/re2c/CVE-2020-11958.patch b/user/re2c/CVE-2020-11958.patch
new file mode 100644
index 000000000..b982b87e6
--- /dev/null
+++ b/user/re2c/CVE-2020-11958.patch
@@ -0,0 +1,37 @@
+From c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a Mon Sep 17 00:00:00 2001
+From: Ulya Trofimovich <skvadrik@gmail.com>
+Date: Fri, 17 Apr 2020 22:47:14 +0100
+Subject: [PATCH] Fix crash in lexer refill (reported by Agostino Sarubbo).
+
+The crash happened in a rare case of a very long lexeme that doen't fit
+into the buffer, forcing buffer reallocation.
+
+The crash was caused by an incorrect calculation of the shift offset
+(it was smaller than necessary). As a consequence, the data from buffer
+start and up to the beginning of the current lexeme was not discarded
+(as it should have been), resulting in less free space for new data than
+expected.
+---
+ src/parse/scanner.cc | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/parse/scanner.cc b/src/parse/scanner.cc
+index 1d6e9efa..bd651314 100644
+--- a/src/parse/scanner.cc
++++ b/src/parse/scanner.cc
+@@ -155,13 +155,14 @@ bool Scanner::fill(size_t need)
+ if (!buf) fatal("out of memory");
+
+ memmove(buf, tok, copy);
+- shift_ptrs_and_fpos(buf - bot);
++ shift_ptrs_and_fpos(buf - tok);
+ delete [] bot;
+ bot = buf;
+
+ free = BSIZE - copy;
+ }
+
++ DASSERT(lim + free <= bot + BSIZE);
+ if (!read(free)) {
+ eof = lim;
+ memset(lim, 0, YYMAXFILL);