codeblock pushed to chicken (f21). "RHBZ#1231871 (..more)"

notifications at fedoraproject.org notifications at fedoraproject.org
Tue Jun 16 02:40:38 UTC 2015 

From 1040bcb629cd495c0ed50eed31d7c522e76e5ddf Mon Sep 17 00:00:00 2001
From: Ricky Elrod <ricky at elrod.me>
Date: Mon, 15 Jun 2015 11:12:07 -0400
Subject: RHBZ#1231871

Signed-off-by: Ricky Elrod <ricky at elrod.me>

diff --git a/chicken.spec b/chicken.spec
index d9397d8..d879c44 100644
--- a/chicken.spec
+++ b/chicken.spec
@@ -2,7 +2,7 @@
 
 Name:           chicken
 Version:        4.9.0.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        A practical and portable Scheme system
 
 Group:          Development/Languages
@@ -28,6 +28,7 @@ BuildRequires:  chicken
 %endif
 
 Patch1: rhbz-1181483.patch
+Patch1: rhbz-1231871.patch
 
 %package libs
 Summary:        Chicken Scheme runtime library
@@ -45,6 +46,7 @@ Scheme language standard, and includes many enhancements and extensions.
 %setup -q -n %{name}-%{version}
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 %if %{bootstrap} == 0
@@ -119,6 +121,10 @@ chrpath --delete %{buildroot}/%{_bindir}/*
 %{_libdir}/libchicken.so*
 
 %changelog
+* Mon Jun 13 2015 Ricky Elrod <relrod at redhat.com> - 4.9.0.1-4
+- Apply patch to work around out of bounds bug:
+  https://bugzilla.redhat.com/show_bug.cgi?id=1231871
+
 * Tue Jan 13 2015 Ricky Elrod <relrod at redhat.com> - 4.9.0.1-3
 - Apply patch to work around buffer overrun:
   https://bugzilla.redhat.com/show_bug.cgi?id=1181483
diff --git a/rhbz-1231871.patch b/rhbz-1231871.patch
new file mode 100644
index 0000000..01d1da1
--- /dev/null
+++ b/rhbz-1231871.patch
@@ -0,0 +1,92 @@
+From 0547bc0c750032b0633276b90cf14a22d9bd9cd7 Mon Sep 17 00:00:00 2001
+From: Peter Bex <address at hidden>
+Date: Sun, 14 Jun 2015 19:52:26 +0200
+Subject: [PATCH] Fix potential buffer overrun error in string-translate*
+
+string-translate* would scan from every position in the target string
+for each source string in the map, even if that would mean scanning
+past the end.  The out-of-bounds read would be limited to the size of
+the overlapping prefix in the trailing garbage beyond the string,
+because memcmp will stop scanning as soon as there is a different
+byte in either of the memory areas.
+
+This also adds a few basic tests for string-translate*
+---
+ NEWS                            |  1 +
+ data-structures.scm             | 17 +++++++++--------
+ tests/data-structures-tests.scm | 11 +++++++++++
+ 3 files changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index bf07519..cae9bd3 100644
+--- a/NEWS
++++ b/NEWS
+@@ -5,6 +5,7 @@
+     potential select() buffer overrun.
+   - CVE-2014-9651: substring-index[-ci] no longer scans beyond string
+     boundaries.
++  - string-translate* no longer scans beyond string boundaries.
+ 
+ - Core libraries
+   - alist-ref from unit data-structures now gives an error when passed
+diff --git a/data-structures.scm b/data-structures.scm
+index b67065e..5664d08 100644
+--- a/data-structures.scm
++++ b/data-structures.scm
+@@ -514,7 +514,7 @@
+ (define (string-translate* str smap)
+   (##sys#check-string str 'string-translate*)
+   (##sys#check-list smap 'string-translate*)
+-  (let ([len (##sys#size str)])
++  (let ((len (##sys#size str)))
+     (define (collect i from total fs)
+       (if (fx>= i len)
+ 	  (##sys#fragments->string
+@@ -523,15 +523,16 @@
+ 	    (if (fx> i from) 
+ 		(cons (##sys#substring str from i) fs)
+ 		fs) ) )
+-	  (let loop ([smap smap])
++	  (let loop ((smap smap))
+ 	    (if (null? smap) 
+ 		(collect (fx+ i 1) from (fx+ total 1) fs)
+-		(let* ([p (car smap)]
+-		       [sm (car p)]
+-		       [smlen (string-length sm)]
+-		       [st (cdr p)] )
+-		  (if (##core#inline "C_substring_compare" str sm i 0 smlen)
+-		      (let ([i2 (fx+ i smlen)])
++		(let* ((p (car smap))
++		       (sm (car p))
++		       (smlen (string-length sm))
++		       (st (cdr p)) )
++		  (if (and (fx<= (fx+ i smlen) len)
++			   (##core#inline "C_substring_compare" str sm i 0 smlen))
++		      (let ((i2 (fx+ i smlen)))
+ 			(when (fx> i from)
+ 			  (set! fs (cons (##sys#substring str from i) fs)) )
+ 			(collect 
+diff --git a/tests/data-structures-tests.scm b/tests/data-structures-tests.scm
+index 51c25a9..b576807 100644
+--- a/tests/data-structures-tests.scm
++++ b/tests/data-structures-tests.scm
+@@ -57,6 +57,17 @@
+ (assert (< 0 (string-compare3-ci "foo\x00b" "foo\x00a")))
+ (assert (< 0 (string-compare3-ci "foo\x00b" "foo\x00A")))
+ 
++(assert (string=? "bde" (string-translate* "abcd"
++					   '(("a" . "b")
++					     ("b" . "")
++					     ("c" . "d")
++					     ("d" . "e")))))
++(assert (string=? "bc" (string-translate* "abc"
++					  '(("ab" . "b")
++					    ("bc" . "WRONG")))))
++(assert (string=? "x" (string-translate* "ab" '(("ab" . "x")))))
++(assert (string=? "xy" (string-translate* "xyz" '(("z" . "")))))
++
+ ;; topological-sort
+ 
+ (assert (equal? '() (topological-sort '() eq?)))
+-- 
+2.1.4
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/chicken.git/commit/?h=f21&id=1040bcb629cd495c0ed50eed31d7c522e76e5ddf

More information about the scm-commits mailing list