From: Lee Chee Yang <[email protected]> Signed-off-by: Lee Chee Yang <[email protected]> --- .../recipes-support/re2c/re2c/CVE-2020-11958.patch | 41 ++++++++++++++++++++++ meta/recipes-support/re2c/re2c_1.3.bb | 4 ++- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/re2c/re2c/CVE-2020-11958.patch
diff --git a/meta/recipes-support/re2c/re2c/CVE-2020-11958.patch b/meta/recipes-support/re2c/re2c/CVE-2020-11958.patch new file mode 100644 index 0000000..43462e6 --- /dev/null +++ b/meta/recipes-support/re2c/re2c/CVE-2020-11958.patch @@ -0,0 +1,41 @@ +From c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a Mon Sep 17 00:00:00 2001 +From: Ulya Trofimovich <[email protected]> +Date: Fri, 17 Apr 2020 22:47:14 +0100 +Subject: [PATCH] Fix crash in lexer refill (reported by Agostino Sarubbo). + +The crash happened in a rare case of a very long lexeme that doen't fit +into the buffer, forcing buffer reallocation. + +The crash was caused by an incorrect calculation of the shift offset +(it was smaller than necessary). As a consequence, the data from buffer +start and up to the beginning of the current lexeme was not discarded +(as it should have been), resulting in less free space for new data than +expected. + +Upstream-Status: Backport [https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a] +CVE: CVE-2020-11958 +Signed-off-by: Lee Chee Yang <[email protected]> +--- + src/parse/scanner.cc | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/parse/scanner.cc b/src/parse/scanner.cc +index 1d6e9efa..bd651314 100644 +--- a/src/parse/scanner.cc ++++ b/src/parse/scanner.cc +@@ -155,13 +155,14 @@ bool Scanner::fill(size_t need) + if (!buf) fatal("out of memory"); + + memmove(buf, tok, copy); +- shift_ptrs_and_fpos(buf - bot); ++ shift_ptrs_and_fpos(buf - tok); + delete [] bot; + bot = buf; + + free = BSIZE - copy; + } + ++ DASSERT(lim + free <= bot + BSIZE); + if (!read(free)) { + eof = lim; + memset(lim, 0, YYMAXFILL); diff --git a/meta/recipes-support/re2c/re2c_1.3.bb b/meta/recipes-support/re2c/re2c_1.3.bb index 0e1d938..e9053ac 100644 --- a/meta/recipes-support/re2c/re2c_1.3.bb +++ b/meta/recipes-support/re2c/re2c_1.3.bb @@ -5,7 +5,9 @@ SECTION = "devel" LICENSE = "PD" LIC_FILES_CHKSUM = "file://LICENSE;md5=64eca4d8a3b67f9dc7656094731a2c8d" -SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.xz"; +SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.xz \ + file://CVE-2020-11958.patch \ +" SRC_URI[sha256sum] = "f37f25ff760e90088e7d03d1232002c2c2672646d5844fdf8e0d51a5cd75a503" UPSTREAM_CHECK_URI = "https://github.com/skvadrik/re2c/releases"; -- 2.7.4
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#138766): https://lists.openembedded.org/g/openembedded-core/message/138766 Mute This Topic: https://lists.openembedded.org/mt/74496157/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
