byacc/CVE-2021-33641.patch

From 162549f599c4460bcefc1526cfa014fec626ebc5 Mon Sep 17 00:00:00 2001
From: zhoupengcheng <zhoupengcheng11@huawei.com>
Date: Sat, 26 Nov 2022 18:27:48 +0800

Subject: [PATCH] fix CVE-2021-33641

the global variable:cptr use-after-free in  more_curly(),
save original line in more_curly() in case get new line to fix
CVE-2021-33641.
---
 reader.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/reader.c b/reader.c
index 37dc2cb..2a1dfe5 100644
--- a/reader.c
+++ b/reader.c
@@ -1027,9 +1027,16 @@ trim_blanks(char *buffer)
 static int
 more_curly(void)
 {
-    char *save = cptr;
+    
     int result = 0;
     int finish = 0;
+    FILE *f = input_file;
+    long int old_pos = ftell(f); 
+    int save_linesize = linesize;
+    char *save_line = TMALLOC(char, linesize);
+    NO_SPACE(save_line);
+    char *save_cptr = save_line + (cptr - line);
+    memcpy(save_line, line, linesize);
     do
     {
 	switch (next_inline())
@@ -1046,7 +1053,15 @@ more_curly(void)
 	++cptr;
     }
     while (!finish);
-    cptr = save;
+
+    // in case of next_inline malloc new line space 
+    free(line);
+    cptr = save_cptr;
+    line = save_line;
+    linesize = save_linesize;
+    // Since get_line also move the postion in file forward
+    //  we need to move it back
+    fseek(f, old_pos, SEEK_SET);
     return result;
 }
 
-- 
2.27.0