From 17daffa1bc6d5af2d77dafd2b146d78802e4f2d2 Mon Sep 17 00:00:00 2001
From: Lee Chee Yang <chee.yang.lee@intel.com>
Date: Wed, 27 May 2020 17:11:10 +0800
Subject: re2c: fix CVE-2020-11958

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../recipes-support/re2c/re2c/CVE-2020-11958.patch | 41 ++++++++++++++++++++++
 meta/recipes-support/re2c/re2c_1.3.bb              |  4 ++-
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/re2c/re2c/CVE-2020-11958.patch

(limited to 'meta/recipes-support')

diff --git a/meta/recipes-support/re2c/re2c/CVE-2020-11958.patch b/meta/recipes-support/re2c/re2c/CVE-2020-11958.patch
new file mode 100644
index 0000000000..43462e642a
--- /dev/null
+++ b/meta/recipes-support/re2c/re2c/CVE-2020-11958.patch
@@ -0,0 +1,41 @@
+From c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a Mon Sep 17 00:00:00 2001
+From: Ulya Trofimovich <skvadrik@gmail.com>
+Date: Fri, 17 Apr 2020 22:47:14 +0100
+Subject: [PATCH] Fix crash in lexer refill (reported by Agostino Sarubbo).
+
+The crash happened in a rare case of a very long lexeme that doen't fit
+into the buffer, forcing buffer reallocation.
+
+The crash was caused by an incorrect calculation of the shift offset
+(it was smaller than necessary). As a consequence, the data from buffer
+start and up to the beginning of the current lexeme was not discarded
+(as it should have been), resulting in less free space for new data than
+expected.
+
+Upstream-Status: Backport [https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a]
+CVE: CVE-2020-11958
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ src/parse/scanner.cc | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/parse/scanner.cc b/src/parse/scanner.cc
+index 1d6e9efa..bd651314 100644
+--- a/src/parse/scanner.cc
++++ b/src/parse/scanner.cc
+@@ -155,13 +155,14 @@ bool Scanner::fill(size_t need)
+         if (!buf) fatal("out of memory");
+ 
+         memmove(buf, tok, copy);
+-        shift_ptrs_and_fpos(buf - bot);
++        shift_ptrs_and_fpos(buf - tok);
+         delete [] bot;
+         bot = buf;
+ 
+         free = BSIZE - copy;
+     }
+ 
++    DASSERT(lim + free <= bot + BSIZE);
+     if (!read(free)) {
+         eof = lim;
+         memset(lim, 0, YYMAXFILL);
diff --git a/meta/recipes-support/re2c/re2c_1.3.bb b/meta/recipes-support/re2c/re2c_1.3.bb
index 0e1d938748..e9053acdf6 100644
--- a/meta/recipes-support/re2c/re2c_1.3.bb
+++ b/meta/recipes-support/re2c/re2c_1.3.bb
@@ -5,7 +5,9 @@ SECTION = "devel"
 LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=64eca4d8a3b67f9dc7656094731a2c8d"
 
-SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.xz"
+SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.xz \
+           file://CVE-2020-11958.patch \
+"
 SRC_URI[sha256sum] = "f37f25ff760e90088e7d03d1232002c2c2672646d5844fdf8e0d51a5cd75a503"
 UPSTREAM_CHECK_URI = "https://github.com/skvadrik/re2c/releases"
 
-- 
cgit 1.2.3-korg