Prevent possible buffer overflow in yyerror()
Resolves: CVE-2014-1235 - Fix possible buffer overflow problem in chkNum of scanner Resolves: CVE-2014-1236
This commit is contained in:
parent
463d336550
commit
99ce361b11
@ -33,7 +33,7 @@ index b3c4875..a46cd92 100644
|
||||
#ifdef WIN32
|
||||
#include <io.h>
|
||||
#endif
|
||||
@@ -153,13 +154,21 @@ ID ({NAME}|{NUMBER})
|
||||
@@ -153,13 +154,22 @@ ID ({NAME}|{NUMBER})
|
||||
%%
|
||||
void yyerror(char *str)
|
||||
{
|
||||
@ -52,7 +52,8 @@ index b3c4875..a46cd92 100644
|
||||
+ agxbput (&xb, InputFile);
|
||||
+ agxbput (&xb, ": ");
|
||||
+ }
|
||||
+ sprintf(buf," %s in line %d near '", str,line_num);
|
||||
+ agxbput (&xb, str);
|
||||
+ sprintf(buf," in line %d near '", line_num);
|
||||
+ agxbput (&xb, buf);
|
||||
+ agxbput (&xb, yytext);
|
||||
+ agxbput (&xb,"'\n");
|
40
graphviz-2.12-CVE-2014-1236.patch
Normal file
40
graphviz-2.12-CVE-2014-1236.patch
Normal file
@ -0,0 +1,40 @@
|
||||
diff --git a/lib/agraph/scan.l b/lib/agraph/scan.l
|
||||
index 4eabcdc..02eaaab 100644
|
||||
--- a/lib/agraph/scan.l
|
||||
+++ b/lib/agraph/scan.l
|
||||
@@ -93,15 +93,26 @@ static void endstr_html(void) {
|
||||
* and report this to the user.
|
||||
*/
|
||||
static int chkNum(void) {
|
||||
- unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */
|
||||
- if (!isdigit(c) && (c != '.')) { /* c is letter */
|
||||
- char buf[BUFSIZ];
|
||||
- sprintf(buf,"badly formed number '%s' in line %d\n",yytext,line_num);
|
||||
- strcat (buf, "Splits into two name tokens");
|
||||
- agerror(AGERROR_SYNTAX,buf);
|
||||
- return 1;
|
||||
- }
|
||||
- else return 0;
|
||||
+ unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */
|
||||
+ if (!isdigit(c) && (c != '.')) { /* c is letter */
|
||||
+ unsigned char xbuf[BUFSIZ];
|
||||
+ char buf[BUFSIZ];
|
||||
+ agxbuf xb;
|
||||
+ char* fname;
|
||||
+
|
||||
+ agxbinit(&xb, BUFSIZ, xbuf);
|
||||
+
|
||||
+ agxbput(&xb,"syntax ambiguity - badly delimited number '");
|
||||
+ agxbput(&xb,yytext);
|
||||
+ sprintf(buf,"' in line %d", line_num);
|
||||
+ agxbput(&xb,buf);
|
||||
+ agxbput(&xb, " splits into two tokens\n");
|
||||
+ agerror(AGERROR_SYNTAX,agxbuse(&xb));
|
||||
+
|
||||
+ agxbfree(&xb);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ else return 0;
|
||||
}
|
||||
|
||||
/* The LETTER class below consists of ascii letters, underscore, all non-ascii
|
@ -7,14 +7,17 @@
|
||||
#-- graphviz src.rpm --------------------------------------------------------
|
||||
Name: graphviz
|
||||
Version: 2.12
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
|
||||
License: CPL
|
||||
URL: http://www.graphviz.org/
|
||||
Source: http://www.graphviz.org/pub/graphviz/ARCHIVE/graphviz-2.12.tar.gz
|
||||
Patch0: %{name}-php5.patch
|
||||
Patch1: %{name}-libcdt.patch
|
||||
Patch2: graphviz-2.12-yyerror-overflow-fix.patch
|
||||
# Fix yyerror overflow (CVE-2014-0978, CVE-2014-1235)
|
||||
Patch2: graphviz-2.12-CVE-2014-0978-CVE-2014-1235.patch
|
||||
# Fix chknum overflow (CVE-2014-1236)
|
||||
Patch3: graphviz-2.12-CVE-2014-1236.patch
|
||||
|
||||
# graphviz is relocatable
|
||||
#Prefix: /usr
|
||||
@ -409,7 +412,8 @@ Provides some additional PDF and HTML documentation for graphviz.
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch2 -p1 -b .CVE-2014-0978-CVE-2014-1235
|
||||
%patch3 -p1 -b .CVE-2014-1236
|
||||
|
||||
%build
|
||||
# XXX ix86 only used to have -ffast-math, let's use everywhere
|
||||
@ -446,9 +450,15 @@ rm -rf $RPM_BUILD_ROOT
|
||||
#-- changelog --------------------------------------------------
|
||||
|
||||
%changelog
|
||||
* Fri Jan 10 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.12-10
|
||||
- Prevent possible buffer overflow in yyerror()
|
||||
Resolves: CVE-2014-1235
|
||||
- Fix possible buffer overflow problem in chkNum of scanner
|
||||
Resolves: CVE-2014-1236
|
||||
|
||||
* Tue Jan 7 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.12-9
|
||||
- Fixed overflow in yyerror
|
||||
Resolves: rhbz#1049168
|
||||
Resolves: CVE-2014-0978
|
||||
- Fixed malformed php5 patch due to distgit conversion
|
||||
|
||||
* Thu May 24 2007 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.12-8
|
||||
|
Loading…
Reference in New Issue
Block a user