| Andrew Geissler | 4ed12e1 | 2020-06-05 18:00:41 -0500 | [diff] [blame] | 1 | From c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a Mon Sep 17 00:00:00 2001 |
| 2 | From: Ulya Trofimovich <skvadrik@gmail.com> |
| 3 | Date: Fri, 17 Apr 2020 22:47:14 +0100 |
| 4 | Subject: [PATCH] Fix crash in lexer refill (reported by Agostino Sarubbo). |
| 5 | |
| 6 | The crash happened in a rare case of a very long lexeme that doen't fit |
| 7 | into the buffer, forcing buffer reallocation. |
| 8 | |
| 9 | The crash was caused by an incorrect calculation of the shift offset |
| 10 | (it was smaller than necessary). As a consequence, the data from buffer |
| 11 | start and up to the beginning of the current lexeme was not discarded |
| 12 | (as it should have been), resulting in less free space for new data than |
| 13 | expected. |
| 14 | |
| 15 | Upstream-Status: Backport [https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a] |
| 16 | CVE: CVE-2020-11958 |
| 17 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> |
| 18 | --- |
| 19 | src/parse/scanner.cc | 3 ++- |
| 20 | 1 file changed, 2 insertions(+), 1 deletion(-) |
| 21 | |
| 22 | diff --git a/src/parse/scanner.cc b/src/parse/scanner.cc |
| 23 | index 1d6e9efa..bd651314 100644 |
| 24 | --- a/src/parse/scanner.cc |
| 25 | +++ b/src/parse/scanner.cc |
| 26 | @@ -155,13 +155,14 @@ bool Scanner::fill(size_t need) |
| 27 | if (!buf) fatal("out of memory"); |
| 28 | |
| 29 | memmove(buf, tok, copy); |
| 30 | - shift_ptrs_and_fpos(buf - bot); |
| 31 | + shift_ptrs_and_fpos(buf - tok); |
| 32 | delete [] bot; |
| 33 | bot = buf; |
| 34 | |
| 35 | free = BSIZE - copy; |
| 36 | } |
| 37 | |
| 38 | + DASSERT(lim + free <= bot + BSIZE); |
| 39 | if (!read(free)) { |
| 40 | eof = lim; |
| 41 | memset(lim, 0, YYMAXFILL); |