Prevent possible buffer overflow in yyerror()
Resolves: CVE-2014-1235 - Fix possible buffer overflow problem in chkNum of scanner Resolves: CVE-2014-1236
This commit is contained in:
parent
463d336550
commit
99ce361b11
@ -33,7 +33,7 @@ index b3c4875..a46cd92 100644
|
|||||||
#ifdef WIN32
|
#ifdef WIN32
|
||||||
#include <io.h>
|
#include <io.h>
|
||||||
#endif
|
#endif
|
||||||
@@ -153,13 +154,21 @@ ID ({NAME}|{NUMBER})
|
@@ -153,13 +154,22 @@ ID ({NAME}|{NUMBER})
|
||||||
%%
|
%%
|
||||||
void yyerror(char *str)
|
void yyerror(char *str)
|
||||||
{
|
{
|
||||||
@ -52,7 +52,8 @@ index b3c4875..a46cd92 100644
|
|||||||
+ agxbput (&xb, InputFile);
|
+ agxbput (&xb, InputFile);
|
||||||
+ agxbput (&xb, ": ");
|
+ agxbput (&xb, ": ");
|
||||||
+ }
|
+ }
|
||||||
+ sprintf(buf," %s in line %d near '", str,line_num);
|
+ agxbput (&xb, str);
|
||||||
|
+ sprintf(buf," in line %d near '", line_num);
|
||||||
+ agxbput (&xb, buf);
|
+ agxbput (&xb, buf);
|
||||||
+ agxbput (&xb, yytext);
|
+ agxbput (&xb, yytext);
|
||||||
+ agxbput (&xb,"'\n");
|
+ agxbput (&xb,"'\n");
|
40
graphviz-2.12-CVE-2014-1236.patch
Normal file
40
graphviz-2.12-CVE-2014-1236.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
diff --git a/lib/agraph/scan.l b/lib/agraph/scan.l
|
||||||
|
index 4eabcdc..02eaaab 100644
|
||||||
|
--- a/lib/agraph/scan.l
|
||||||
|
+++ b/lib/agraph/scan.l
|
||||||
|
@@ -93,15 +93,26 @@ static void endstr_html(void) {
|
||||||
|
* and report this to the user.
|
||||||
|
*/
|
||||||
|
static int chkNum(void) {
|
||||||
|
- unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */
|
||||||
|
- if (!isdigit(c) && (c != '.')) { /* c is letter */
|
||||||
|
- char buf[BUFSIZ];
|
||||||
|
- sprintf(buf,"badly formed number '%s' in line %d\n",yytext,line_num);
|
||||||
|
- strcat (buf, "Splits into two name tokens");
|
||||||
|
- agerror(AGERROR_SYNTAX,buf);
|
||||||
|
- return 1;
|
||||||
|
- }
|
||||||
|
- else return 0;
|
||||||
|
+ unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */
|
||||||
|
+ if (!isdigit(c) && (c != '.')) { /* c is letter */
|
||||||
|
+ unsigned char xbuf[BUFSIZ];
|
||||||
|
+ char buf[BUFSIZ];
|
||||||
|
+ agxbuf xb;
|
||||||
|
+ char* fname;
|
||||||
|
+
|
||||||
|
+ agxbinit(&xb, BUFSIZ, xbuf);
|
||||||
|
+
|
||||||
|
+ agxbput(&xb,"syntax ambiguity - badly delimited number '");
|
||||||
|
+ agxbput(&xb,yytext);
|
||||||
|
+ sprintf(buf,"' in line %d", line_num);
|
||||||
|
+ agxbput(&xb,buf);
|
||||||
|
+ agxbput(&xb, " splits into two tokens\n");
|
||||||
|
+ agerror(AGERROR_SYNTAX,agxbuse(&xb));
|
||||||
|
+
|
||||||
|
+ agxbfree(&xb);
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ else return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* The LETTER class below consists of ascii letters, underscore, all non-ascii
|
@ -7,14 +7,17 @@
|
|||||||
#-- graphviz src.rpm --------------------------------------------------------
|
#-- graphviz src.rpm --------------------------------------------------------
|
||||||
Name: graphviz
|
Name: graphviz
|
||||||
Version: 2.12
|
Version: 2.12
|
||||||
Release: 9%{?dist}
|
Release: 10%{?dist}
|
||||||
|
|
||||||
License: CPL
|
License: CPL
|
||||||
URL: http://www.graphviz.org/
|
URL: http://www.graphviz.org/
|
||||||
Source: http://www.graphviz.org/pub/graphviz/ARCHIVE/graphviz-2.12.tar.gz
|
Source: http://www.graphviz.org/pub/graphviz/ARCHIVE/graphviz-2.12.tar.gz
|
||||||
Patch0: %{name}-php5.patch
|
Patch0: %{name}-php5.patch
|
||||||
Patch1: %{name}-libcdt.patch
|
Patch1: %{name}-libcdt.patch
|
||||||
Patch2: graphviz-2.12-yyerror-overflow-fix.patch
|
# Fix yyerror overflow (CVE-2014-0978, CVE-2014-1235)
|
||||||
|
Patch2: graphviz-2.12-CVE-2014-0978-CVE-2014-1235.patch
|
||||||
|
# Fix chknum overflow (CVE-2014-1236)
|
||||||
|
Patch3: graphviz-2.12-CVE-2014-1236.patch
|
||||||
|
|
||||||
# graphviz is relocatable
|
# graphviz is relocatable
|
||||||
#Prefix: /usr
|
#Prefix: /usr
|
||||||
@ -409,7 +412,8 @@ Provides some additional PDF and HTML documentation for graphviz.
|
|||||||
%setup -q
|
%setup -q
|
||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
%patch2 -p1 -b .CVE-2014-0978-CVE-2014-1235
|
||||||
|
%patch3 -p1 -b .CVE-2014-1236
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# XXX ix86 only used to have -ffast-math, let's use everywhere
|
# XXX ix86 only used to have -ffast-math, let's use everywhere
|
||||||
@ -446,9 +450,15 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
#-- changelog --------------------------------------------------
|
#-- changelog --------------------------------------------------
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jan 10 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.12-10
|
||||||
|
- Prevent possible buffer overflow in yyerror()
|
||||||
|
Resolves: CVE-2014-1235
|
||||||
|
- Fix possible buffer overflow problem in chkNum of scanner
|
||||||
|
Resolves: CVE-2014-1236
|
||||||
|
|
||||||
* Tue Jan 7 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.12-9
|
* Tue Jan 7 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.12-9
|
||||||
- Fixed overflow in yyerror
|
- Fixed overflow in yyerror
|
||||||
Resolves: rhbz#1049168
|
Resolves: CVE-2014-0978
|
||||||
- Fixed malformed php5 patch due to distgit conversion
|
- Fixed malformed php5 patch due to distgit conversion
|
||||||
|
|
||||||
* Thu May 24 2007 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.12-8
|
* Thu May 24 2007 Patrick "Jima" Laughton <jima@beer.tclug.org> 2.12-8
|
||||||
|
Loading…
Reference in New Issue
Block a user