packages/byacc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!24 fix CVE-2021-33641 and CVE-2021-33642

Browse Source 
From: @zhoupengcheng11 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001
This commit is contained in:
openeuler-ci-bot 2023-01-06 09:08:54 +00:00 committed by Gitee
commit 14b38251e6
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 106 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
CVE-2021-33641.patch Normal file
View File

@ -0,0 +1,55 @@
From 162549f599c4460bcefc1526cfa014fec626ebc5 Mon Sep 17 00:00:00 2001
From: zhoupengcheng <zhoupengcheng11@huawei.com>
Date: Sat, 26 Nov 2022 18:27:48 +0800
Subject: [PATCH] fix CVE-2021-33641
the global variable:cptr use-after-free in more_curly(),
save original line in more_curly() in case get new line to fix
CVE-2021-33641.
---
reader.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/reader.c b/reader.c
index 37dc2cb..2a1dfe5 100644
--- a/reader.c
+++ b/reader.c
@@ -1027,9 +1027,16 @@ trim_blanks(char *buffer)
static int
more_curly(void)
{
- char *save = cptr;
+
int result = 0;
int finish = 0;
+ FILE *f = input_file;
+ long int old_pos = ftell(f);
+ int save_linesize = linesize;
+ char *save_line = TMALLOC(char, linesize);
+ NO_SPACE(save_line);
+ char *save_cptr = save_line + (cptr - line);
+ memcpy(save_line, line, linesize);
do
{
switch (next_inline())
@@ -1046,7 +1053,15 @@ more_curly(void)
++cptr;
}
while (!finish);
- cptr = save;
+
+ // in case of next_inline malloc new line space
+ free(line);
+ cptr = save_cptr;
+ line = save_line;
+ linesize = save_linesize;
+ // Since get_line also move the postion in file forward
+ // we need to move it back
+ fseek(f, old_pos, SEEK_SET);
return result;
}
--
2.27.0

44
CVE-2021-33642.patch Normal file
View File

@ -0,0 +1,44 @@
From ab5ee87cbbe1b94a45d5c7974b321e2ee78d1238 Mon Sep 17 00:00:00 2001
From: zhoupengcheng <zhoupengcheng11@huawei.com>
Date: Sat, 26 Nov 2022 18:27:48 +0800
Subject: [PATCH] fix CVE-2021-33642
next_inline() return EOF cause infinite loop in more_curly(),
Add EOF case in more_curly(), don't allow multiple line.
---
reader.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/reader.c b/reader.c
index 2a1dfe5..6a9bb7c 100644
--- a/reader.c
+++ b/reader.c
@@ -1030,8 +1030,10 @@ more_curly(void)
int result = 0;
int finish = 0;
+ int c;
FILE *f = input_file;
long int old_pos = ftell(f);
+ long int new_pos = old_pos;
int save_linesize = linesize;
char *save_line = TMALLOC(char, linesize);
NO_SPACE(save_line);
@@ -1039,7 +1041,13 @@ more_curly(void)
memcpy(save_line, line, linesize);
do
{
- switch (next_inline())
+ c = next_inline();
+ // Don't allow multiple line, so we use file position to check
+ // Only get_line() will move file postion forward
+ new_pos = ftell(f);
+ if (c == (EOF) || old_pos != new_pos)
+ break;
+ switch (c)
{
case 0:
case '\n':
--
2.27.0

8
byacc.spec
View File

@ -2,12 +2,15 @@
Name: byacc Name: byacc
Version: 2.0.%{byaccdate} Version: 2.0.%{byaccdate}
Release: 4 Release: 5
Summary: A parser generator Summary: A parser generator
License: public domain License: public domain
URL: https://invisible-island.net/byacc/byacc.html URL: https://invisible-island.net/byacc/byacc.html
Source0: https://invisible-mirror.net/archives/byacc/byacc-%{byaccdate}.tgz Source0: https://invisible-mirror.net/archives/byacc/byacc-%{byaccdate}.tgz
Patch9000: CVE-2021-33641.patch
Patch9001: CVE-2021-33642.patch
BuildRequires: gcc BuildRequires: gcc
%description %description
@ -45,6 +48,9 @@ make check
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Mon Dec 26 2022 zhoupengcheng <zhoupengcheng11@huawei.com> - 2.0.20210808-5
- fix CVE-2021-33641 and CVE-2021-33642
* Sat Dec 24 2022 chenmaodong <chenmaodong@xfusion.com> - 2.0.20210808-4 * Sat Dec 24 2022 chenmaodong <chenmaodong@xfusion.com> - 2.0.20210808-4
- Modify changelog error - Modify changelog error