|
1 # HG changeset patch |
|
2 # Parent c8e8364b303892fdb5a574b96411d2d8f699a15e |
|
3 Patch lexical parser files generated by flex which may be potentially |
|
4 exploitable in a buffer overrun. These seem to come from an upstream projects |
|
5 (CMU Sphinx and ANGLE) so it should be fixed there in the first place. |
|
6 |
|
7 CVE-2016-6354 |
|
8 |
|
9 https://bugzilla.suse.com/show_bug.cgi?id=990856 |
|
10 |
|
11 diff --git a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp |
|
12 --- a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp |
|
13 +++ b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp |
|
14 @@ -1375,17 +1375,17 @@ static int yy_get_next_buffer (yyscan_t |
|
15 if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) |
|
16 /* don't do the read, it's not guaranteed to return an EOF, |
|
17 * just force an EOF |
|
18 */ |
|
19 YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; |
|
20 |
|
21 else |
|
22 { |
|
23 - yy_size_t num_to_read = |
|
24 + int num_to_read = |
|
25 YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; |
|
26 |
|
27 while ( num_to_read <= 0 ) |
|
28 { /* Not enough room in the buffer - grow it. */ |
|
29 |
|
30 /* just a shorter name for the current buffer */ |
|
31 YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; |
|
32 |
|
33 diff --git a/gfx/angle/src/compiler/translator/glslang_lex.cpp b/gfx/angle/src/compiler/translator/glslang_lex.cpp |
|
34 --- a/gfx/angle/src/compiler/translator/glslang_lex.cpp |
|
35 +++ b/gfx/angle/src/compiler/translator/glslang_lex.cpp |
|
36 @@ -2269,17 +2269,17 @@ static int yy_get_next_buffer (yyscan_t |
|
37 if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) |
|
38 /* don't do the read, it's not guaranteed to return an EOF, |
|
39 * just force an EOF |
|
40 */ |
|
41 YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; |
|
42 |
|
43 else |
|
44 { |
|
45 - yy_size_t num_to_read = |
|
46 + int num_to_read = |
|
47 YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; |
|
48 |
|
49 while ( num_to_read <= 0 ) |
|
50 { /* Not enough room in the buffer - grow it. */ |
|
51 |
|
52 /* just a shorter name for the current buffer */ |
|
53 YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; |
|
54 |
|
55 diff --git a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c |
|
56 --- a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c |
|
57 +++ b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c |
|
58 @@ -1242,17 +1242,17 @@ static int yy_get_next_buffer (yyscan_t |
|
59 if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) |
|
60 /* don't do the read, it's not guaranteed to return an EOF, |
|
61 * just force an EOF |
|
62 */ |
|
63 YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; |
|
64 |
|
65 else |
|
66 { |
|
67 - yy_size_t num_to_read = |
|
68 + int num_to_read = |
|
69 YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; |
|
70 |
|
71 while ( num_to_read <= 0 ) |
|
72 { /* Not enough room in the buffer - grow it. */ |
|
73 |
|
74 /* just a shorter name for the current buffer */ |
|
75 YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; |
|
76 |