1 |
rbu 08/10/04 18:57:32 |
2 |
|
3 |
Added: byacc-1.9-CVE-2008-3196.patch |
4 |
Log: |
5 |
Fix stack access error (security bug #232005). |
6 |
(Portage version: 2.2_rc11/cvs/Linux 2.6.25-gentoo-r6 x86_64) |
7 |
|
8 |
Revision Changes Path |
9 |
1.1 dev-util/byacc/files/byacc-1.9-CVE-2008-3196.patch |
10 |
|
11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-util/byacc/files/byacc-1.9-CVE-2008-3196.patch?rev=1.1&view=markup |
12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-util/byacc/files/byacc-1.9-CVE-2008-3196.patch?rev=1.1&content-type=text/plain |
13 |
|
14 |
Index: byacc-1.9-CVE-2008-3196.patch |
15 |
=================================================================== |
16 |
Tue Jul 8 15:06:50 2008 UTC by otto |
17 |
|
18 |
Fix an venerable bug: if we're reducing a rule that has an empty |
19 |
right hand side and the yacc stackpointer is pointing at the very |
20 |
end of the allocated stack, we end up accessing the stack out of |
21 |
bounds by the implicit $$ = $1 action. Detected by my new malloc, |
22 |
experienced by sturm@ on sparc64; ok deraadt@ |
23 |
|
24 |
|
25 |
Index: yacc-1.9.1/skeleton.c |
26 |
=================================================================== |
27 |
--- yacc-1.9.1.orig/skeleton.c |
28 |
+++ yacc-1.9.1/skeleton.c |
29 |
@@ -18,6 +18,7 @@ char *banner[] = |
30 |
"/*static char yysccsid[] = \"from: @(#)yaccpar 1.9 (Berkeley) 02/21/93\";*/", |
31 |
"static char yyrcsid[] = \"$Id: byacc-1.9-CVE-2008-3196.patch,v 1.1 2008/10/04 18:57:31 rbu Exp $\";", |
32 |
"#endif", |
33 |
+ "#include <string.h>", |
34 |
"#define YYBYACC 1", |
35 |
"#define YYMAJOR 1", |
36 |
"#define YYMINOR 9", |
37 |
@@ -226,7 +227,10 @@ char *body[] = |
38 |
" YYPREFIX, yystate, yyn, yyrule[yyn]);", |
39 |
"#endif", |
40 |
" yym = yylen[yyn];", |
41 |
- " yyval = yyvsp[1-yym];", |
42 |
+ " if (yym)", |
43 |
+ " yyval = yyvsp[1-yym];", |
44 |
+ " else", |
45 |
+ " memset(&yyval, 0, sizeof yyval);", |
46 |
" switch (yyn)", |
47 |
" {", |
48 |
0 |