diff -r 05d175c5957e -r 6ab8b16f232c mozilla-flex_buffer_overrun.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mozilla-flex_buffer_overrun.patch Thu Aug 18 08:58:07 2016 +0200 @@ -0,0 +1,76 @@ +# HG changeset patch +# Parent c8e8364b303892fdb5a574b96411d2d8f699a15e +Patch lexical parser files generated by flex which may be potentially +exploitable in a buffer overrun. These seem to come from an upstream projects +(CMU Sphinx and ANGLE) so it should be fixed there in the first place. + +CVE-2016-6354 + +https://bugzilla.suse.com/show_bug.cgi?id=990856 + +diff --git a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp +--- a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp ++++ b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp +@@ -1375,17 +1375,17 @@ static int yy_get_next_buffer (yyscan_t + if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) + /* don't do the read, it's not guaranteed to return an EOF, + * just force an EOF + */ + YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; + + else + { +- yy_size_t num_to_read = ++ int num_to_read = + YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; + + while ( num_to_read <= 0 ) + { /* Not enough room in the buffer - grow it. */ + + /* just a shorter name for the current buffer */ + YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; + +diff --git a/gfx/angle/src/compiler/translator/glslang_lex.cpp b/gfx/angle/src/compiler/translator/glslang_lex.cpp +--- a/gfx/angle/src/compiler/translator/glslang_lex.cpp ++++ b/gfx/angle/src/compiler/translator/glslang_lex.cpp +@@ -2269,17 +2269,17 @@ static int yy_get_next_buffer (yyscan_t + if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) + /* don't do the read, it's not guaranteed to return an EOF, + * just force an EOF + */ + YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; + + else + { +- yy_size_t num_to_read = ++ int num_to_read = + YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; + + while ( num_to_read <= 0 ) + { /* Not enough room in the buffer - grow it. */ + + /* just a shorter name for the current buffer */ + YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; + +diff --git a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c +--- a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c ++++ b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c +@@ -1242,17 +1242,17 @@ static int yy_get_next_buffer (yyscan_t + if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) + /* don't do the read, it's not guaranteed to return an EOF, + * just force an EOF + */ + YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; + + else + { +- yy_size_t num_to_read = ++ int num_to_read = + YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; + + while ( num_to_read <= 0 ) + { /* Not enough room in the buffer - grow it. */ + + /* just a shorter name for the current buffer */ + YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; +