fix CVE-2021-33641 and CVE-2021-33642

2023-01-06 11:37:11 +08:00 · 2023-01-06 11:37:11 +08:00 · d44e41004f
commit d44e41004f
parent bd86106552
3 changed files with 106 additions and 1 deletions
--- a/CVE-2021-33641.patch
+++ b/CVE-2021-33641.patch
@ -0,0 +1,55 @@
+From 162549f599c4460bcefc1526cfa014fec626ebc5 Mon Sep 17 00:00:00 2001
+From: zhoupengcheng <zhoupengcheng11@huawei.com>
+Date: Sat, 26 Nov 2022 18:27:48 +0800
+
+Subject: [PATCH] fix CVE-2021-33641
+
+the global variable:cptr use-after-free in  more_curly(),
+save original line in more_curly() in case get new line to fix
+CVE-2021-33641.
+---
+ reader.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/reader.c b/reader.c
+index 37dc2cb..2a1dfe5 100644
+--- a/reader.c
+++ b/reader.c
+@@ -1027,9 +1027,16 @@ trim_blanks(char *buffer)
+ static int
+ more_curly(void)
+ {
+-    char *save = cptr;
+    
+     int result = 0;
+     int finish = 0;
+    FILE *f = input_file;
+    long int old_pos = ftell(f); 
+    int save_linesize = linesize;
+    char *save_line = TMALLOC(char, linesize);
+    NO_SPACE(save_line);
+    char *save_cptr = save_line + (cptr - line);
+    memcpy(save_line, line, linesize);
+     do
+     {
+ 	switch (next_inline())
+@@ -1046,7 +1053,15 @@ more_curly(void)
+ 	++cptr;
+     }
+     while (!finish);
+-    cptr = save;
+
+    // in case of next_inline malloc new line space 
+    free(line);
+    cptr = save_cptr;
+    line = save_line;
+    linesize = save_linesize;
+    // Since get_line also move the postion in file forward
+    //  we need to move it back
+    fseek(f, old_pos, SEEK_SET);
+     return result;
+ }
+ 
+-- 
+2.27.0
+
--- a/CVE-2021-33642.patch
+++ b/CVE-2021-33642.patch
@ -0,0 +1,44 @@
+From ab5ee87cbbe1b94a45d5c7974b321e2ee78d1238 Mon Sep 17 00:00:00 2001
+From: zhoupengcheng <zhoupengcheng11@huawei.com>
+Date: Sat, 26 Nov 2022 18:27:48 +0800
+Subject: [PATCH] fix CVE-2021-33642
+
+next_inline() return EOF cause infinite loop in more_curly(),
+Add EOF case in more_curly(), don't allow multiple line.
+---
+ reader.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/reader.c b/reader.c
+index 2a1dfe5..6a9bb7c 100644
+--- a/reader.c
+++ b/reader.c
+@@ -1030,8 +1030,10 @@ more_curly(void)
+     
+     int result = 0;
+     int finish = 0;
+    int c;
+     FILE *f = input_file;
+     long int old_pos = ftell(f); 
+    long int new_pos = old_pos;
+     int save_linesize = linesize;
+     char *save_line = TMALLOC(char, linesize);
+     NO_SPACE(save_line);
+@@ -1039,7 +1041,13 @@ more_curly(void)
+     memcpy(save_line, line, linesize);
+     do
+     {
+-	switch (next_inline())
+	c = next_inline();
+	// Don't allow multiple line, so we use file position to check
+	// Only get_line() will move file postion forward
+	new_pos = ftell(f);
+	if (c == (EOF) || old_pos != new_pos)
+	    break;
+	switch (c)
+ 	{
+ 	case 0:
+ 	case '\n':
+-- 
+2.27.0
+
--- a/byacc.spec
+++ b/byacc.spec
@ -2,12 +2,15 @@

 Name:           byacc
 Version:        2.0.%{byaccdate}
-Release:        4
+Release:        5
 Summary:        A parser generator
 License:        public domain
 URL:            https://invisible-island.net/byacc/byacc.html
 Source0:        https://invisible-mirror.net/archives/byacc/byacc-%{byaccdate}.tgz

+Patch9000:	CVE-2021-33641.patch
+Patch9001:	CVE-2021-33642.patch
+
 BuildRequires:  gcc

 %description
@ -45,6 +48,9 @@ make check
 %{_mandir}/man1/*

 %changelog
+* Mon Dec 26 2022 zhoupengcheng <zhoupengcheng11@huawei.com> - 2.0.20210808-5
+- fix CVE-2021-33641 and CVE-2021-33642
+
 * Sat Dec 24 2022 chenmaodong <chenmaodong@xfusion.com> - 2.0.20210808-4
 - Modify changelog error