[chicken/el6] rhbz#1181483

Ricky Elrod codeblock at fedoraproject.org
Tue Jan 13 10:10:43 UTC 2015 

commit 24cfce72963be83de7a81da6b95a6103c0849fc3
Author: Ricky Elrod <ricky at elrod.me>
Date:   Tue Jan 13 05:10:45 2015 -0500

    rhbz#1181483
    
    Signed-off-by: Ricky Elrod <ricky at elrod.me>

 chicken-4.9.0.1-2.el6.src.rpm |  Bin 0 -> 4014644 bytes
 chicken.spec                  |   11 +++++-
 rhbz-1181483.patch            |   80 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 89 insertions(+), 2 deletions(-)
---
diff --git a/chicken-4.9.0.1-2.el6.src.rpm b/chicken-4.9.0.1-2.el6.src.rpm
new file mode 100644
index 0000000..cfb50da
Binary files /dev/null and b/chicken-4.9.0.1-2.el6.src.rpm differ
diff --git a/chicken.spec b/chicken.spec
index 5324a53..5440e86 100644
--- a/chicken.spec
+++ b/chicken.spec
@@ -2,7 +2,7 @@
 
 Name:           chicken
 Version:        4.9.0.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A practical and portable Scheme system
 
 Group:          Development/Languages
@@ -27,6 +27,8 @@ BuildRequires:  hostname
 BuildRequires:  chicken
 %endif
 
+Patch1: rhbz-1181483.patch
+
 %package libs
 Summary:        Chicken Scheme runtime library
 
@@ -42,6 +44,7 @@ Scheme language standard, and includes many enhancements and extensions.
 %prep
 %setup -q -n %{name}-%{version}
 %patch0 -p1
+%patch1 -p1
 
 %build
 %if %{bootstrap} == 0
@@ -116,7 +119,11 @@ chrpath --delete %{buildroot}/%{_bindir}/*
 %{_libdir}/libchicken.so*
 
 %changelog
-* Thu Aug 07 2014 Ricky Elrod <relrod at redhat.com> - 4.9.0.1-4
+* Tue Jan 13 2015 Ricky Elrod <relrod at redhat.com> - 4.9.0.1-2
+- Apply patch to work around buffer overrun:
+  https://bugzilla.redhat.com/show_bug.cgi?id=1181483
+
+* Thu Aug 07 2014 Ricky Elrod <relrod at redhat.com> - 4.9.0.1-1
 - Latest upstream release.
 
 * Sat Jun 07 2014 Ricky Elrod <relrod at redhat.com> - 4.9.0-4
diff --git a/rhbz-1181483.patch b/rhbz-1181483.patch
new file mode 100644
index 0000000..28a081c
--- /dev/null
+++ b/rhbz-1181483.patch
@@ -0,0 +1,80 @@
+From 230eed2745ea2b57de3c9073e8596892b1da2d8c Mon Sep 17 00:00:00 2001
+From: Moritz Heidkamp <address at hidden>
+Date: Sun, 14 Dec 2014 23:33:52 +0100
+Subject: [PATCH] Fix buffer overrun in substring-index[-ci]
+
+When passing a start index greater than 0, substring-index[-ci] would
+scan past the end of the subject string, leading to bogus results in
+case the substring is accidentally run into beyond the end of the
+subject. This patch fixes the issue and also adds a range check for the
+start index.
+---
+ data-structures.scm             | 22 ++++++++++++++--------
+ tests/data-structures-tests.scm | 11 ++++++++++-
+ 2 files changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/data-structures.scm b/data-structures.scm
+index a94c163..511a3c1 100644
+--- a/data-structures.scm
++++ b/data-structures.scm
+@@ -307,15 +307,21 @@
+   (define (traverse which where start test loc)
+     (##sys#check-string which loc)
+     (##sys#check-string where loc)
+-    (let ([wherelen (##sys#size where)]
+-	  [whichlen (##sys#size which)] )
++    (let* ((wherelen (##sys#size where))
++	   (whichlen (##sys#size which))
++	   (end (fx- wherelen whichlen)))
+       (##sys#check-exact start loc)
+-      (let loop ([istart start] [iend whichlen])
+-	(cond [(fx> iend wherelen) #f]
+-	      [(test istart whichlen) istart]
+-	      [else 
+-	       (loop (fx+ istart 1)
+-		     (fx+ iend 1) ) ] ) ) ) )
++      (if (and (fx>= start 0)
++	       (fx> wherelen start))
++	  (let loop ((istart start))
++	    (cond ((fx> istart end) #f)
++		  ((test istart whichlen) istart)
++		  (else (loop (fx+ istart 1)))))
++	  (##sys#error-hook (foreign-value "C_OUT_OF_RANGE_ERROR" int)
++			    loc
++			    start
++			    wherelen))))
++
+   (set! ##sys#substring-index 
+     (lambda (which where start)
+       (traverse 
+diff --git a/tests/data-structures-tests.scm b/tests/data-structures-tests.scm
+index 51c25a9..34ccb2f 100644
+--- a/tests/data-structures-tests.scm
++++ b/tests/data-structures-tests.scm
+@@ -1,6 +1,6 @@
+ ;;;; data-structures-tests.scm
+ 
+-(use data-structures)
++(use data-structures lolevel)
+ 
+ (define-syntax assert-error
+   (syntax-rules ()
+@@ -57,6 +57,15 @@
+ (assert (< 0 (string-compare3-ci "foo\x00b" "foo\x00a")))
+ (assert (< 0 (string-compare3-ci "foo\x00b" "foo\x00A")))
+ 
++
++;; This used to fail because substring-index and co. used to search
++;; beyond the end of the subject string when a start index > 0 was
++;; provided. We use object-evict to ensure that the strings are placed
++;; in adjacent memory ranges so we can detect this error.
++(let* ((foo (object-evict (make-string 32 #\x)))
++       (bar (object-evict "y")))
++  (assert (not (substring-index "y" foo 30))))
++
+ ;; topological-sort
+ 
+ (assert (equal? '() (topological-sort '() eq?)))
+-- 
+2.1.3
+

More information about the scm-commits mailing list