codeblock pushed to chicken (f21). "RHBZ#1231871 (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Tue Jun 16 02:40:38 UTC 2015
From 1040bcb629cd495c0ed50eed31d7c522e76e5ddf Mon Sep 17 00:00:00 2001
From: Ricky Elrod <ricky at elrod.me>
Date: Mon, 15 Jun 2015 11:12:07 -0400
Subject: RHBZ#1231871
Signed-off-by: Ricky Elrod <ricky at elrod.me>
diff --git a/chicken.spec b/chicken.spec
index d9397d8..d879c44 100644
--- a/chicken.spec
+++ b/chicken.spec
@@ -2,7 +2,7 @@
Name: chicken
Version: 4.9.0.1
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: A practical and portable Scheme system
Group: Development/Languages
@@ -28,6 +28,7 @@ BuildRequires: chicken
%endif
Patch1: rhbz-1181483.patch
+Patch1: rhbz-1231871.patch
%package libs
Summary: Chicken Scheme runtime library
@@ -45,6 +46,7 @@ Scheme language standard, and includes many enhancements and extensions.
%setup -q -n %{name}-%{version}
%patch0 -p1
%patch1 -p1
+%patch2 -p1
%build
%if %{bootstrap} == 0
@@ -119,6 +121,10 @@ chrpath --delete %{buildroot}/%{_bindir}/*
%{_libdir}/libchicken.so*
%changelog
+* Mon Jun 13 2015 Ricky Elrod <relrod at redhat.com> - 4.9.0.1-4
+- Apply patch to work around out of bounds bug:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1231871
+
* Tue Jan 13 2015 Ricky Elrod <relrod at redhat.com> - 4.9.0.1-3
- Apply patch to work around buffer overrun:
https://bugzilla.redhat.com/show_bug.cgi?id=1181483
diff --git a/rhbz-1231871.patch b/rhbz-1231871.patch
new file mode 100644
index 0000000..01d1da1
--- /dev/null
+++ b/rhbz-1231871.patch
@@ -0,0 +1,92 @@
+From 0547bc0c750032b0633276b90cf14a22d9bd9cd7 Mon Sep 17 00:00:00 2001
+From: Peter Bex <address at hidden>
+Date: Sun, 14 Jun 2015 19:52:26 +0200
+Subject: [PATCH] Fix potential buffer overrun error in string-translate*
+
+string-translate* would scan from every position in the target string
+for each source string in the map, even if that would mean scanning
+past the end. The out-of-bounds read would be limited to the size of
+the overlapping prefix in the trailing garbage beyond the string,
+because memcmp will stop scanning as soon as there is a different
+byte in either of the memory areas.
+
+This also adds a few basic tests for string-translate*
+---
+ NEWS | 1 +
+ data-structures.scm | 17 +++++++++--------
+ tests/data-structures-tests.scm | 11 +++++++++++
+ 3 files changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index bf07519..cae9bd3 100644
+--- a/NEWS
++++ b/NEWS
+@@ -5,6 +5,7 @@
+ potential select() buffer overrun.
+ - CVE-2014-9651: substring-index[-ci] no longer scans beyond string
+ boundaries.
++ - string-translate* no longer scans beyond string boundaries.
+
+ - Core libraries
+ - alist-ref from unit data-structures now gives an error when passed
+diff --git a/data-structures.scm b/data-structures.scm
+index b67065e..5664d08 100644
+--- a/data-structures.scm
++++ b/data-structures.scm
+@@ -514,7 +514,7 @@
+ (define (string-translate* str smap)
+ (##sys#check-string str 'string-translate*)
+ (##sys#check-list smap 'string-translate*)
+- (let ([len (##sys#size str)])
++ (let ((len (##sys#size str)))
+ (define (collect i from total fs)
+ (if (fx>= i len)
+ (##sys#fragments->string
+@@ -523,15 +523,16 @@
+ (if (fx> i from)
+ (cons (##sys#substring str from i) fs)
+ fs) ) )
+- (let loop ([smap smap])
++ (let loop ((smap smap))
+ (if (null? smap)
+ (collect (fx+ i 1) from (fx+ total 1) fs)
+- (let* ([p (car smap)]
+- [sm (car p)]
+- [smlen (string-length sm)]
+- [st (cdr p)] )
+- (if (##core#inline "C_substring_compare" str sm i 0 smlen)
+- (let ([i2 (fx+ i smlen)])
++ (let* ((p (car smap))
++ (sm (car p))
++ (smlen (string-length sm))
++ (st (cdr p)) )
++ (if (and (fx<= (fx+ i smlen) len)
++ (##core#inline "C_substring_compare" str sm i 0 smlen))
++ (let ((i2 (fx+ i smlen)))
+ (when (fx> i from)
+ (set! fs (cons (##sys#substring str from i) fs)) )
+ (collect
+diff --git a/tests/data-structures-tests.scm b/tests/data-structures-tests.scm
+index 51c25a9..b576807 100644
+--- a/tests/data-structures-tests.scm
++++ b/tests/data-structures-tests.scm
+@@ -57,6 +57,17 @@
+ (assert (< 0 (string-compare3-ci "foo\x00b" "foo\x00a")))
+ (assert (< 0 (string-compare3-ci "foo\x00b" "foo\x00A")))
+
++(assert (string=? "bde" (string-translate* "abcd"
++ '(("a" . "b")
++ ("b" . "")
++ ("c" . "d")
++ ("d" . "e")))))
++(assert (string=? "bc" (string-translate* "abc"
++ '(("ab" . "b")
++ ("bc" . "WRONG")))))
++(assert (string=? "x" (string-translate* "ab" '(("ab" . "x")))))
++(assert (string=? "xy" (string-translate* "xyz" '(("z" . "")))))
++
+ ;; topological-sort
+
+ (assert (equal? '() (topological-sort '() eq?)))
+--
+2.1.4
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/chicken.git/commit/?h=f21&id=1040bcb629cd495c0ed50eed31d7c522e76e5ddf
More information about the scm-commits
mailing list