author | Wolfgang Rosenauer <wr@rosenauer.org> |
Wed, 19 Oct 2016 14:13:47 +0200 | |
branch | firefox49 |
changeset 930 | fdfd88b0c2d7 |
parent 926 | 6ab8b16f232c |
permissions | -rw-r--r-- |
926
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
1 |
# HG changeset patch |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
2 |
# Parent c8e8364b303892fdb5a574b96411d2d8f699a15e |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
3 |
Patch lexical parser files generated by flex which may be potentially |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
4 |
exploitable in a buffer overrun. These seem to come from an upstream projects |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
5 |
(CMU Sphinx and ANGLE) so it should be fixed there in the first place. |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
6 |
|
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
7 |
CVE-2016-6354 |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
8 |
|
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
9 |
https://bugzilla.suse.com/show_bug.cgi?id=990856 |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
10 |
|
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
11 |
diff --git a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
12 |
--- a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
13 |
+++ b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
14 |
@@ -1375,17 +1375,17 @@ static int yy_get_next_buffer (yyscan_t |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
15 |
if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
16 |
/* don't do the read, it's not guaranteed to return an EOF, |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
17 |
* just force an EOF |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
18 |
*/ |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
19 |
YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
20 |
|
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
21 |
else |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
22 |
{ |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
23 |
- yy_size_t num_to_read = |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
24 |
+ int num_to_read = |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
25 |
YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
26 |
|
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
27 |
while ( num_to_read <= 0 ) |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
28 |
{ /* Not enough room in the buffer - grow it. */ |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
29 |
|
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
30 |
/* just a shorter name for the current buffer */ |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
31 |
YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
32 |
|
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
33 |
diff --git a/gfx/angle/src/compiler/translator/glslang_lex.cpp b/gfx/angle/src/compiler/translator/glslang_lex.cpp |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
34 |
--- a/gfx/angle/src/compiler/translator/glslang_lex.cpp |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
35 |
+++ b/gfx/angle/src/compiler/translator/glslang_lex.cpp |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
36 |
@@ -2269,17 +2269,17 @@ static int yy_get_next_buffer (yyscan_t |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
37 |
if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
38 |
/* don't do the read, it's not guaranteed to return an EOF, |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
39 |
* just force an EOF |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
40 |
*/ |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
41 |
YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
42 |
|
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
43 |
else |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
44 |
{ |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
45 |
- yy_size_t num_to_read = |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
46 |
+ int num_to_read = |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
47 |
YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
48 |
|
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
49 |
while ( num_to_read <= 0 ) |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
50 |
{ /* Not enough room in the buffer - grow it. */ |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
51 |
|
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
52 |
/* just a shorter name for the current buffer */ |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
53 |
YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
54 |
|
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
55 |
diff --git a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
56 |
--- a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
57 |
+++ b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
58 |
@@ -1242,17 +1242,17 @@ static int yy_get_next_buffer (yyscan_t |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
59 |
if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
60 |
/* don't do the read, it's not guaranteed to return an EOF, |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
61 |
* just force an EOF |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
62 |
*/ |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
63 |
YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
64 |
|
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
65 |
else |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
66 |
{ |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
67 |
- yy_size_t num_to_read = |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
68 |
+ int num_to_read = |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
69 |
YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
70 |
|
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
71 |
while ( num_to_read <= 0 ) |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
72 |
{ /* Not enough room in the buffer - grow it. */ |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
73 |
|
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
74 |
/* just a shorter name for the current buffer */ |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
75 |
YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; |
6ab8b16f232c
merge latest changes from Factory
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff
changeset
|
76 |