Prevent possible buffer overflow in yyerror()

Resolves: CVE-2014-1235
- Fix possible buffer overflow problem in chkNum of scanner
  Resolves: CVE-2014-1236
This commit is contained in:
Jaroslav Škarvada 2014-01-10 10:28:08 +01:00
parent a2040cdc1f
commit 8a174ca0bb
3 changed files with 75 additions and 21 deletions

View File

@ -1,15 +1,4 @@
From 7aaddf52cd98589fb0c3ab72a393f8411838438a Mon Sep 17 00:00:00 2001
From: "Emden R. Gansner" <erg@alum.mit.edu>
Date: Fri, 4 Oct 2013 09:06:39 -0400
Subject: [PATCH] Fix buffer overflow problem when reporting a syntax error
with a very long input line
---
lib/cgraph/scan.l | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
index 3cfde0f..2efd203 100644
--- a/lib/cgraph/scan.l --- a/lib/cgraph/scan.l
+++ b/lib/cgraph/scan.l +++ b/lib/cgraph/scan.l
@@ -16,6 +16,7 @@ @@ -16,6 +16,7 @@
@ -20,7 +9,7 @@ index 3cfde0f..2efd203 100644
#include <ctype.h> #include <ctype.h>
#define GRAPH_EOF_TOKEN '@' /* lex class must be defined below */ #define GRAPH_EOF_TOKEN '@' /* lex class must be defined below */
/* this is a workaround for linux flex */ /* this is a workaround for linux flex */
@@ -191,13 +192,21 @@ ID ({NAME}|{NUMBER}) @@ -191,13 +192,22 @@ ID ({NAME}|{NUMBER})
%% %%
void yyerror(char *str) void yyerror(char *str)
{ {
@ -39,7 +28,8 @@ index 3cfde0f..2efd203 100644
+ agxbput (&xb, InputFile); + agxbput (&xb, InputFile);
+ agxbput (&xb, ": "); + agxbput (&xb, ": ");
+ } + }
+ sprintf(buf," %s in line %d near '", str,line_num); + agxbput (&xb, str);
+ sprintf(buf," in line %d near '", line_num);
+ agxbput (&xb, buf); + agxbput (&xb, buf);
+ agxbput (&xb, yytext); + agxbput (&xb, yytext);
+ agxbput (&xb,"'\n"); + agxbput (&xb,"'\n");
@ -48,6 +38,3 @@ index 3cfde0f..2efd203 100644
} }
/* must be here to see flex's macro defns */ /* must be here to see flex's macro defns */
void aglexeof() { unput(GRAPH_EOF_TOKEN); } void aglexeof() { unput(GRAPH_EOF_TOKEN); }
--
1.8.5.1

View File

@ -0,0 +1,58 @@
From 1d1bdec6318746f6f19f245db589eddc887ae8ff Mon Sep 17 00:00:00 2001
From: "Emden R. Gansner" <erg@alum.mit.edu>
Date: Wed, 8 Jan 2014 11:31:04 -0500
Subject: [PATCH] Fix possible buffer overflow problem in chkNum of scanner.
---
lib/cgraph/scan.l | 35 ++++++++++++++++++++++++++---------
1 file changed, 26 insertions(+), 9 deletions(-)
diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
index 212967c..d065b61 100644
--- a/lib/cgraph/scan.l
+++ b/lib/cgraph/scan.l
@@ -129,15 +129,32 @@ static void ppDirective (void)
* and report this to the user.
*/
static int chkNum(void) {
- unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */
- if (!isdigit(c) && (c != '.')) { /* c is letter */
- char buf[BUFSIZ];
- sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile);
- strcat (buf, "splits into two name tokens\n");
- agerr(AGWARN,buf);
- return 1;
- }
- else return 0;
+ unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */
+ if (!isdigit(c) && (c != '.')) { /* c is letter */
+ unsigned char xbuf[BUFSIZ];
+ char buf[BUFSIZ];
+ agxbuf xb;
+ char* fname;
+
+ if (InputFile)
+ fname = InputFile;
+ else
+ fname = "input";
+
+ agxbinit(&xb, BUFSIZ, xbuf);
+
+ agxbput(&xb,"syntax ambiguity - badly delimited number '");
+ agxbput(&xb,yytext);
+ sprintf(buf,"' in line %d of ", line_num);
+ agxbput(&xb,buf);
+ agxbput(&xb,fname);
+ agxbput(&xb, " splits into two tokens\n");
+ agerr(AGWARN,agxbuse(&xb));
+
+ agxbfree(&xb);
+ return 1;
+ }
+ else return 0;
}
/* The LETTER class below consists of ascii letters, underscore, all non-ascii
--
1.8.5.1

View File

@ -52,7 +52,7 @@
Name: graphviz Name: graphviz
Summary: Graph Visualization Tools Summary: Graph Visualization Tools
Version: 2.34.0 Version: 2.34.0
Release: 7%{?dist} Release: 8%{?dist}
Group: Applications/Multimedia Group: Applications/Multimedia
License: EPL License: EPL
URL: http://www.graphviz.org/ URL: http://www.graphviz.org/
@ -63,8 +63,10 @@ Patch1: graphviz-2.32.0-testsuite-sigsegv-fix.patch
Patch2: graphviz-2.32.0-rtest-errout-fix.patch Patch2: graphviz-2.32.0-rtest-errout-fix.patch
# Upstream bug 0002387 # Upstream bug 0002387
Patch3: graphviz-2.34.0-lefty-getaddrinfo.patch Patch3: graphviz-2.34.0-lefty-getaddrinfo.patch
# Fix yyerror overflow (#1049167) # Fix yyerror overflow (CVE-2014-0978, CVE-2014-1235)
Patch4: graphviz-2.34.0-yyerror-overflow-fix.patch Patch4: graphviz-2.34.0-CVE-2014-0978-CVE-2014-1235.patch
# Fix chknum overflow (CVE-2014-1236)
Patch5: graphviz-2.34.0-CVE-2014-1236.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2 BuildRequires: zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2
BuildRequires: ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig BuildRequires: ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig
@ -270,7 +272,8 @@ Various tcl packages (extensions) for the graphviz tools.
%patch1 -p1 -b .testsuite-sigsegv-fix %patch1 -p1 -b .testsuite-sigsegv-fix
%patch2 -p1 -b .rtest-errout-fix %patch2 -p1 -b .rtest-errout-fix
%patch3 -p1 -b .lefty-getaddrinfo %patch3 -p1 -b .lefty-getaddrinfo
%patch4 -p1 -b .overflow-yyerror-fix %patch4 -p1 -b .CVE-2014-0978-CVE-2014-1235
%patch5 -p1 -b .CVE-2014-1236
# Attempt to fix rpmlint warnings about executable sources # Attempt to fix rpmlint warnings about executable sources
find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';' find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';'
@ -559,9 +562,15 @@ rm -rf %{buildroot}
%changelog %changelog
* Thu Jan 9 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.34.0-8
- Prevent possible buffer overflow in yyerror()
Resolves: CVE-2014-1235
- Fix possible buffer overflow problem in chkNum of scanner
Resolves: CVE-2014-1236
* Tue Jan 7 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.34.0-7 * Tue Jan 7 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.34.0-7
- Fixed overflow in yyerror - Fixed overflow in yyerror
Resolves: rhbz#1049167 Resolves: CVE-2014-0978
* Sat Dec 28 2013 Peter Robinson <pbrobinson@fedoraproject.org> 2.34.0-6 * Sat Dec 28 2013 Peter Robinson <pbrobinson@fedoraproject.org> 2.34.0-6
- Disable R bindings on aarch64 for the moment - Disable R bindings on aarch64 for the moment