Mercurial Mercurial > hg > mozilla / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mozilla-flex_buffer_overrun.patch
changeset 935 9ae2b79d3bb1
parent 934 b61e849fe451
child 936 096e59808e91 
--- a/mozilla-flex_buffer_overrun.patch	Wed Jan 18 22:06:23 2017 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,76 +0,0 @@
-# HG changeset patch
-# Parent  c8e8364b303892fdb5a574b96411d2d8f699a15e
-Patch lexical parser files generated by flex which may be potentially
-exploitable in a buffer overrun. These seem to come from an upstream projects
-(CMU Sphinx and ANGLE) so it should be fixed there in the first place.
-
-CVE-2016-6354
-
-https://bugzilla.suse.com/show_bug.cgi?id=990856
-
-diff --git a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp
---- a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp
-+++ b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp
-@@ -1375,17 +1375,17 @@ static int yy_get_next_buffer (yyscan_t 
- 	if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
- 		/* don't do the read, it's not guaranteed to return an EOF,
- 		 * just force an EOF
- 		 */
- 		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0;
- 
- 	else
- 		{
--			yy_size_t num_to_read =
-+			int num_to_read =
- 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
- 
- 		while ( num_to_read <= 0 )
- 			{ /* Not enough room in the buffer - grow it. */
- 
- 			/* just a shorter name for the current buffer */
- 			YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE;
- 
-diff --git a/gfx/angle/src/compiler/translator/glslang_lex.cpp b/gfx/angle/src/compiler/translator/glslang_lex.cpp
---- a/gfx/angle/src/compiler/translator/glslang_lex.cpp
-+++ b/gfx/angle/src/compiler/translator/glslang_lex.cpp
-@@ -2269,17 +2269,17 @@ static int yy_get_next_buffer (yyscan_t 
- 	if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
- 		/* don't do the read, it's not guaranteed to return an EOF,
- 		 * just force an EOF
- 		 */
- 		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0;
- 
- 	else
- 		{
--			yy_size_t num_to_read =
-+			int num_to_read =
- 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
- 
- 		while ( num_to_read <= 0 )
- 			{ /* Not enough room in the buffer - grow it. */
- 
- 			/* just a shorter name for the current buffer */
- 			YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE;
- 
-diff --git a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c
---- a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c
-+++ b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c
-@@ -1242,17 +1242,17 @@ static int yy_get_next_buffer (yyscan_t 
- 	if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
- 		/* don't do the read, it's not guaranteed to return an EOF,
- 		 * just force an EOF
- 		 */
- 		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0;
- 
- 	else
- 		{
--			yy_size_t num_to_read =
-+			int num_to_read =
- 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
- 
- 		while ( num_to_read <= 0 )
- 			{ /* Not enough room in the buffer - grow it. */
- 
- 			/* just a shorter name for the current buffer */
- 			YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE;
-
mozilla