diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2020-05-27 17:11:10 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-05-27 10:51:29 +0100 |
commit | 17daffa1bc6d5af2d77dafd2b146d78802e4f2d2 (patch) | |
tree | a829f491c30580e8fdc177632b860c1fdfc9ff7d | |
parent | 662c688e635f4490aac0d6d34ce7a7b31d73f5c5 (diff) | |
download | openembedded-core-17daffa1bc6d5af2d77dafd2b146d78802e4f2d2.tar.gz |
re2c: fix CVE-2020-11958
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-support/re2c/re2c/CVE-2020-11958.patch | 41 | ||||
-rw-r--r-- | meta/recipes-support/re2c/re2c_1.3.bb | 4 |
2 files changed, 44 insertions, 1 deletions
diff --git a/meta/recipes-support/re2c/re2c/CVE-2020-11958.patch b/meta/recipes-support/re2c/re2c/CVE-2020-11958.patch new file mode 100644 index 0000000000..43462e642a --- /dev/null +++ b/meta/recipes-support/re2c/re2c/CVE-2020-11958.patch @@ -0,0 +1,41 @@ +From c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a Mon Sep 17 00:00:00 2001 +From: Ulya Trofimovich <skvadrik@gmail.com> +Date: Fri, 17 Apr 2020 22:47:14 +0100 +Subject: [PATCH] Fix crash in lexer refill (reported by Agostino Sarubbo). + +The crash happened in a rare case of a very long lexeme that doen't fit +into the buffer, forcing buffer reallocation. + +The crash was caused by an incorrect calculation of the shift offset +(it was smaller than necessary). As a consequence, the data from buffer +start and up to the beginning of the current lexeme was not discarded +(as it should have been), resulting in less free space for new data than +expected. + +Upstream-Status: Backport [https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a] +CVE: CVE-2020-11958 +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> +--- + src/parse/scanner.cc | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/parse/scanner.cc b/src/parse/scanner.cc +index 1d6e9efa..bd651314 100644 +--- a/src/parse/scanner.cc ++++ b/src/parse/scanner.cc +@@ -155,13 +155,14 @@ bool Scanner::fill(size_t need) + if (!buf) fatal("out of memory"); + + memmove(buf, tok, copy); +- shift_ptrs_and_fpos(buf - bot); ++ shift_ptrs_and_fpos(buf - tok); + delete [] bot; + bot = buf; + + free = BSIZE - copy; + } + ++ DASSERT(lim + free <= bot + BSIZE); + if (!read(free)) { + eof = lim; + memset(lim, 0, YYMAXFILL); diff --git a/meta/recipes-support/re2c/re2c_1.3.bb b/meta/recipes-support/re2c/re2c_1.3.bb index 0e1d938748..e9053acdf6 100644 --- a/meta/recipes-support/re2c/re2c_1.3.bb +++ b/meta/recipes-support/re2c/re2c_1.3.bb @@ -5,7 +5,9 @@ SECTION = "devel" LICENSE = "PD" LIC_FILES_CHKSUM = "file://LICENSE;md5=64eca4d8a3b67f9dc7656094731a2c8d" -SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.xz" +SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.xz \ + file://CVE-2020-11958.patch \ +" SRC_URI[sha256sum] = "f37f25ff760e90088e7d03d1232002c2c2672646d5844fdf8e0d51a5cd75a503" UPSTREAM_CHECK_URI = "https://github.com/skvadrik/re2c/releases" |