packages/bison
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!13 Fix CVE-2020-24240

Browse Source 
From: @fly_fzc 
Reviewed-by: @licunlong 
Signed-off-by: @licunlong
This commit is contained in:
openeuler-ci-bot 2022-07-15 07:17:32 +00:00 committed by Gitee
commit 5581c21271
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 562 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

157
backport-CVE-2020-24240.patch Normal file
View File

@ -0,0 +1,157 @@
From be95a4fe2951374676efc9454ffee8638faaf68d Mon Sep 17 00:00:00 2001
From: Akim Demaille <akim.demaille@gmail.com>
Date: Tue, 28 Jul 2020 18:51:30 +0200
Subject: [PATCH] scanner: don't crash on strings containing a NUL byte
We crash if the input contains a string containing a NUL byte.
Reported by Suhwan Song.
https://lists.gnu.org/r/bug-bison/2020-07/msg00051.html
* src/flex-scanner.h (STRING_FREE): Avoid accidental use of
last_string.
* src/scan-gram.l: Don't call STRING_FREE without calling
STRING_FINISH first.
* tests/input.at (Invalid inputs): Check that case.
---
THANKS | 1 +
src/flex-scanner.h | 10 +++++++++-
src/scan-gram.l | 3 ++-
tests/input.at | 48 ++++++++++++++++++++++++++++++++++++----------
4 files changed, 50 insertions(+), 12 deletions(-)
diff --git a/THANKS b/THANKS
index ac073ea67..5c64da3c0 100644
--- a/THANKS
+++ b/THANKS
@@ -185,6 +185,7 @@ Simon Sobisch simonsobisch@web.de
Stefano Lattarini stefano.lattarini@gmail.com
Stephen Cameron stephenmcameron@gmail.com
Steve Murphy murf@parsetree.com
+Suhwan Song prada960808@gmail.com
Sum Wu sum@geekhouse.org
Théophile Ranquet theophile.ranquet@gmail.com
Thiru Ramakrishnan thiru.ramakrishnan@gmail.com
diff --git a/src/flex-scanner.h b/src/flex-scanner.h
index 56ca7ce32..028847fda 100644
--- a/src/flex-scanner.h
+++ b/src/flex-scanner.h
@@ -112,7 +112,15 @@ static struct obstack obstack_for_string;
# define STRING_FINISH() \
(last_string = obstack_finish0 (&obstack_for_string))
-# define STRING_FREE() \
+# ifdef NDEBUG
+# define STRING_FREE() \
obstack_free (&obstack_for_string, last_string)
+# else
+# define STRING_FREE() \
+ do { \
+ obstack_free (&obstack_for_string, last_string); \
+ last_string = NULL; \
+ } while (0)
+#endif
#endif
diff --git a/src/scan-gram.l b/src/scan-gram.l
index f8d85f23f..ad2904ce8 100644
--- a/src/scan-gram.l
+++ b/src/scan-gram.l
@@ -403,6 +403,7 @@ eqopt ({sp}=)?
{
\0 {
complain (loc, complaint, _("invalid null character"));
+ STRING_FINISH ();
STRING_FREE ();
return GRAM_error;
}
@@ -599,7 +600,6 @@ eqopt ({sp}=)?
STRING_FINISH ();
BEGIN INITIAL;
loc->start = token_start;
- val->CHAR = last_string[0];
if (last_string[0] == '\0')
{
@@ -615,6 +615,7 @@ eqopt ({sp}=)?
}
else
{
+ val->CHAR = last_string[0];
STRING_FREE ();
return CHAR;
}
diff --git a/tests/input.at b/tests/input.at
index 4da637955..effcd1cc9 100644
--- a/tests/input.at
+++ b/tests/input.at
@@ -1,4 +1,4 @@
-# Checking the Bison scanner. -*- Autotest -*-
+# Checking the Bison reader. -*- Autotest -*-
# Copyright (C) 2002-2015, 2018-2020 Free Software Foundation, Inc.
@@ -78,10 +78,13 @@ AT_CLEANUP
## Invalid inputs. ##
## ---------------- ##
+# The truly bad guys no human would write, but easily uncovered by
+# fuzzers.
AT_SETUP([Invalid inputs])
AT_DATA([input.y],
[[\000\001\002\377?
+"\000"
%%
?
default: 'a' }
@@ -92,16 +95,41 @@ default: 'a' }
]])
AT_PERL_REQUIRE([[-pi -e 's/\\(\d{3})/chr(oct($1))/ge' input.y]])
-AT_BISON_CHECK([input.y], [1], [],
+AT_BISON_CHECK([-fcaret input.y], [1], [], [stderr])
+
+# Autotest's diffing, when there are NUL bytes, just reports "binary
+# files differ". So don't leave NUL bytes.
+AT_PERL_CHECK([[-p -e 's{([\0\377])}{sprintf "\\x%02x", ord($1)}ge' stderr]], [],
[[input.y:1.1-2: error: invalid characters: '\0\001\002\377?'
-input.y:3.1: error: invalid character: '?'
-input.y:4.14: error: invalid character: '}'
-input.y:5.1: error: invalid character: '%'
-input.y:5.2: error: invalid character: '&'
-input.y:6.1-17: error: invalid directive: '%a-does-not-exist'
-input.y:7.1: error: invalid character: '%'
-input.y:7.2: error: invalid character: '-'
-input.y:8.1-9.0: error: missing '%}' at end of file
+ 1 | \x00\xff?
+ | ^~
+input.y:2.2: error: invalid null character
+ 2 | "\x00"
+ | ^
+input.y:4.1: error: invalid character: '?'
+ 4 | ?
+ | ^
+input.y:5.14: error: invalid character: '}'
+ 5 | default: 'a' }
+ | ^
+input.y:6.1: error: invalid character: '%'
+ 6 | %&
+ | ^
+input.y:6.2: error: invalid character: '&'
+ 6 | %&
+ | ^
+input.y:7.1-17: error: invalid directive: '%a-does-not-exist'
+ 7 | %a-does-not-exist
+ | ^~~~~~~~~~~~~~~~~
+input.y:8.1: error: invalid character: '%'
+ 8 | %-
+ | ^
+input.y:8.2: error: invalid character: '-'
+ 8 | %-
+ | ^
+input.y:9.1-10.0: error: missing '%}' at end of file
+ 9 | %{
+ | ^~
]])
AT_CLEANUP

396
backport-style-prefer-FOO-to-FOO-for-function-like-macros.patch Normal file
View File

@ -0,0 +1,396 @@
From c857ed4f72b83c561bfd42e5ff6c129ddb2017ee Mon Sep 17 00:00:00 2001
From: Akim Demaille <akim.demaille@gmail.com>
Date: Sat, 13 Jun 2020 08:11:22 +0200
Subject: [PATCH] style: prefer 'FOO ()' to 'FOO' for function-like macros
* src/flex-scanner.h (STRING_GROW, STRING_FINISH, STRING_FREE):
Make them function-like macros.
Adjust dependencies.
---
src/flex-scanner.h | 14 +++++-----
src/scan-code.l | 26 +++++++++----------
src/scan-gram.l | 64 +++++++++++++++++++++++-----------------------
src/scan-skel.l | 2 +-
tests/input.at | 4 +--
5 files changed, 55 insertions(+), 55 deletions(-)
diff --git a/src/flex-scanner.h b/src/flex-scanner.h
index 6f6861741..f0f3ae172 100644
--- a/src/flex-scanner.h
+++ b/src/flex-scanner.h
@@ -94,22 +94,22 @@ int FLEX_PREFIX (lex_destroy) (void);
keep (to construct ID, STRINGS etc.). Use the following macros to
use it.
- Use STRING_GROW to append what has just been matched, and
- STRING_FINISH to end the string (it puts the ending 0).
- STRING_FINISH also stores this string in LAST_STRING, which can be
- used, and which is used by STRING_FREE to free the last string. */
+ Use STRING_GROW () to append what has just been matched, and
+ STRING_FINISH () to end the string (it puts the ending 0).
+ STRING_FINISH () also stores this string in LAST_STRING, which can be
+ used, and which is used by STRING_FREE () to free the last string. */
#ifndef FLEX_NO_OBSTACK
static struct obstack obstack_for_string;
-# define STRING_GROW \
+# define STRING_GROW() \
obstack_grow (&obstack_for_string, yytext, yyleng)
-# define STRING_FINISH \
+# define STRING_FINISH() \
(last_string = obstack_finish0 (&obstack_for_string))
-# define STRING_FREE \
+# define STRING_FREE() \
obstack_free (&obstack_for_string, last_string)
#endif
diff --git a/src/scan-code.l b/src/scan-code.l
index 1aaecd4ea..86f877495 100644
--- a/src/scan-code.l
+++ b/src/scan-code.l
@@ -112,7 +112,7 @@ ref -?[0-9]+|{id}|"["{id}"]"|"$"
<SC_COMMENT>
{
- "*"{splice}"/" STRING_GROW; BEGIN sc_context;
+ "*"{splice}"/" STRING_GROW (); BEGIN sc_context;
}
@@ -122,8 +122,8 @@ ref -?[0-9]+|{id}|"["{id}"]"|"$"
<SC_LINE_COMMENT>
{
- "\n" STRING_GROW; BEGIN sc_context;
- {splice} STRING_GROW;
+ "\n" STRING_GROW (); BEGIN sc_context;
+ {splice} STRING_GROW ();
}
@@ -133,26 +133,26 @@ ref -?[0-9]+|{id}|"["{id}"]"|"$"
<SC_CHARACTER,SC_STRING>
{
- {splice}|\\{splice}. STRING_GROW;
+ {splice}|\\{splice}. STRING_GROW ();
}
<SC_CHARACTER>
{
- "'" STRING_GROW; BEGIN sc_context;
+ "'" STRING_GROW (); BEGIN sc_context;
}
<SC_STRING>
{
- "\"" STRING_GROW; BEGIN sc_context;
+ "\"" STRING_GROW (); BEGIN sc_context;
}
<SC_RULE_ACTION,SC_SYMBOL_ACTION>
{
- "'" STRING_GROW; BEGIN SC_CHARACTER;
- "\"" STRING_GROW; BEGIN SC_STRING;
- "/"{splice}"*" STRING_GROW; BEGIN SC_COMMENT;
- "/"{splice}"/" STRING_GROW; BEGIN SC_LINE_COMMENT;
+ "'" STRING_GROW (); BEGIN SC_CHARACTER;
+ "\"" STRING_GROW (); BEGIN SC_STRING;
+ "/"{splice}"*" STRING_GROW (); BEGIN SC_COMMENT;
+ "/"{splice}"/" STRING_GROW (); BEGIN SC_LINE_COMMENT;
[$@] {
complain (loc, Wother, _("stray '%s'"), yytext);
@@ -199,10 +199,10 @@ ref -?[0-9]+|{id}|"["{id}"]"|"$"
[$@\[\]] obstack_escape (&obstack_for_string, yytext);
/* By default, grow the string obstack with the input. */
- .|\n STRING_GROW;
+ .|\n STRING_GROW ();
/* End of processing. */
- <<EOF>> STRING_FINISH; return last_string;
+ <<EOF>> STRING_FINISH (); return last_string;
}
%%
@@ -835,7 +835,7 @@ code_props_translate_code (code_props *self)
void
code_scanner_last_string_free (void)
{
- STRING_FREE;
+ STRING_FREE ();
}
void
diff --git a/src/scan-gram.l b/src/scan-gram.l
index e3d96f242..1bbcfd7d6 100644
--- a/src/scan-gram.l
+++ b/src/scan-gram.l
@@ -115,7 +115,7 @@ static int bracketed_id_context_state = 0;
void
gram_scanner_last_string_free (void)
{
- STRING_FREE;
+ STRING_FREE ();
}
static void handle_syncline (char *, location);
@@ -344,7 +344,7 @@ eqopt ({sp}=)?
/* Code in between braces. */
"{" {
- STRING_GROW;
+ STRING_GROW ();
nesting = 0;
code_start = loc->start;
BEGIN SC_BRACED_CODE;
@@ -403,7 +403,7 @@ eqopt ({sp}=)?
{
\0 {
complain (loc, complaint, _("invalid null character"));
- STRING_FREE;
+ STRING_FREE ();
return GRAM_error;
}
}
@@ -533,7 +533,7 @@ eqopt ({sp}=)?
<SC_COMMENT>
{
- "*"{splice}"/" STRING_GROW; BEGIN context_state;
+ "*"{splice}"/" STRING_GROW (); BEGIN context_state;
<<EOF>> unexpected_eof (token_start, "*/"); BEGIN context_state;
}
@@ -544,8 +544,8 @@ eqopt ({sp}=)?
<SC_LINE_COMMENT>
{
- {eol} STRING_GROW; BEGIN context_state;
- {splice} STRING_GROW;
+ {eol} STRING_GROW (); BEGIN context_state;
+ {splice} STRING_GROW ();
<<EOF>> BEGIN context_state;
}
@@ -558,7 +558,7 @@ eqopt ({sp}=)?
<SC_ESCAPED_STRING>
{
"\"" {
- STRING_FINISH;
+ STRING_FINISH ();
BEGIN INITIAL;
loc->start = token_start;
complain (loc, Wyacc,
@@ -572,7 +572,7 @@ eqopt ({sp}=)?
<SC_ESCAPED_TSTRING>
{
"\")" {
- STRING_FINISH;
+ STRING_FINISH ();
BEGIN INITIAL;
loc->start = token_start;
complain (loc, Wyacc,
@@ -591,7 +591,7 @@ eqopt ({sp}=)?
<SC_ESCAPED_CHARACTER>
{
"'" {
- STRING_FINISH;
+ STRING_FINISH ();
BEGIN INITIAL;
loc->start = token_start;
val->CHAR = last_string[0];
@@ -599,18 +599,18 @@ eqopt ({sp}=)?
if (last_string[0] == '\0')
{
complain (loc, complaint, _("empty character literal"));
- STRING_FREE;
+ STRING_FREE ();
return GRAM_error;
}
else if (last_string[1] != '\0')
{
complain (loc, complaint, _("extra characters in character literal"));
- STRING_FREE;
+ STRING_FREE ();
return GRAM_error;
}
else
{
- STRING_FREE;
+ STRING_FREE ();
return CHAR;
}
}
@@ -630,18 +630,18 @@ eqopt ({sp}=)?
--nesting;
if (nesting < 0)
{
- STRING_FINISH;
+ STRING_FINISH ();
loc->start = token_start;
val->TAG = uniqstr_new (last_string);
- STRING_FREE;
+ STRING_FREE ();
BEGIN INITIAL;
return TAG;
}
- STRING_GROW;
+ STRING_GROW ();
}
- ([^<>]|->)+ STRING_GROW;
- "<"+ STRING_GROW; nesting += yyleng;
+ ([^<>]|->)+ STRING_GROW ();
+ "<"+ STRING_GROW (); nesting += yyleng;
<<EOF>> unexpected_eof (token_start, ">");
}
@@ -696,19 +696,19 @@ eqopt ({sp}=)?
<SC_CHARACTER,SC_STRING>
{
- {splice}|\\{splice}[^\n\[\]] STRING_GROW;
+ {splice}|\\{splice}[^\n\[\]] STRING_GROW ();
}
<SC_CHARACTER>
{
- "'" STRING_GROW; BEGIN context_state;
+ "'" STRING_GROW (); BEGIN context_state;
{eol} unexpected_newline (token_start, "'");
<<EOF>> unexpected_eof (token_start, "'");
}
<SC_STRING>
{
- "\"" STRING_GROW; BEGIN context_state;
+ "\"" STRING_GROW (); BEGIN context_state;
{eol} unexpected_newline (token_start, "\"");
<<EOF>> unexpected_eof (token_start, "\"");
}
@@ -721,25 +721,25 @@ eqopt ({sp}=)?
<SC_BRACED_CODE,SC_PROLOGUE,SC_EPILOGUE,SC_PREDICATE>
{
"'" {
- STRING_GROW;
+ STRING_GROW ();
context_state = YY_START;
token_start = loc->start;
BEGIN SC_CHARACTER;
}
"\"" {
- STRING_GROW;
+ STRING_GROW ();
context_state = YY_START;
token_start = loc->start;
BEGIN SC_STRING;
}
"/"{splice}"*" {
- STRING_GROW;
+ STRING_GROW ();
context_state = YY_START;
token_start = loc->start;
BEGIN SC_COMMENT;
}
"/"{splice}"/" {
- STRING_GROW;
+ STRING_GROW ();
context_state = YY_START;
BEGIN SC_LINE_COMMENT;
}
@@ -754,12 +754,12 @@ eqopt ({sp}=)?
<SC_BRACED_CODE,SC_PREDICATE>
{
- "{"|"<"{splice}"%" STRING_GROW; nesting++;
- "%"{splice}">" STRING_GROW; nesting--;
+ "{"|"<"{splice}"%" STRING_GROW (); nesting++;
+ "%"{splice}">" STRING_GROW (); nesting--;
/* Tokenize '<<%' correctly (as '<<' '%') rather than incorrectly
(as '<' '<%'). */
- "<"{splice}"<" STRING_GROW;
+ "<"{splice}"<" STRING_GROW ();
<<EOF>> unexpected_eof (code_start, "}");
}
@@ -772,7 +772,7 @@ eqopt ({sp}=)?
--nesting;
if (nesting < 0)
{
- STRING_FINISH;
+ STRING_FINISH ();
loc->start = code_start;
BEGIN INITIAL;
RETURN_VALUE (BRACED_CODE, last_string);
@@ -786,7 +786,7 @@ eqopt ({sp}=)?
--nesting;
if (nesting < 0)
{
- STRING_FINISH;
+ STRING_FINISH ();
loc->start = code_start;
BEGIN INITIAL;
RETURN_VALUE (BRACED_PREDICATE, last_string);
@@ -803,7 +803,7 @@ eqopt ({sp}=)?
<SC_PROLOGUE>
{
"%}" {
- STRING_FINISH;
+ STRING_FINISH ();
loc->start = code_start;
BEGIN INITIAL;
RETURN_VALUE (PROLOGUE, last_string);
@@ -821,7 +821,7 @@ eqopt ({sp}=)?
<SC_EPILOGUE>
{
<<EOF>> {
- STRING_FINISH;
+ STRING_FINISH ();
loc->start = code_start;
BEGIN INITIAL;
RETURN_VALUE (EPILOGUE, last_string);
@@ -841,7 +841,7 @@ eqopt ({sp}=)?
Add a fallthrough "|." so that non UTF-8 input is still accepted
and does not jam the scanner. */
- {mbchar}|. STRING_GROW;
+ {mbchar}|. STRING_GROW ();
}
%%
diff --git a/src/scan-skel.l b/src/scan-skel.l
index d7e334d57..a5771639d 100644
--- a/src/scan-skel.l
+++ b/src/scan-skel.l
@@ -100,7 +100,7 @@ static void output_mapped_file (char const *name);
<SC_AT_DIRECTIVE_ARGS>
{
- [^@]+ STRING_GROW;
+ [^@]+ STRING_GROW ();
"@@" obstack_1grow (&obstack_for_string, '@');
"@{" obstack_1grow (&obstack_for_string, '[');
diff --git a/tests/input.at b/tests/input.at
index 1dda9841e..d152de315 100644
--- a/tests/input.at
+++ b/tests/input.at
@@ -1690,8 +1690,8 @@ AT_CLEANUP
AT_SETUP([Unclosed constructs])
-# Bison's scan-gram.l once forgot to STRING_FINISH some unclosed
-# constructs, so they were prepended to whatever it STRING_GROW'ed
+# Bison's scan-gram.l once forgot to STRING_FINISH () some unclosed
+# constructs, so they were prepended to whatever it STRING_GROW ()'ed
# next. It also threw them away rather than returning them to the
# parser. The effect was confusing subsequent error messages.

10
bison.spec
View File

@ -1,11 +1,13 @@
Name: bison
Version: 3.6.4
Release: 2
Release: 3
Summary: A GNU general-purpose parser generator
License: GPLv3+
URL: http://www.gnu.org/software/bison/
Source0: https://ftp.gnu.org/gnu/bison/bison-%{version}.tar.xz
Patch0: backport-build-fix-a-concurrent-build-issue-in-examples.patch
Patch1: backport-style-prefer-FOO-to-FOO-for-function-like-macros.patch
Patch2: backport-CVE-2020-24240.patch
BuildRequires: gcc-c++ autoconf automake m4 flex
Requires(post): info
@ -90,6 +92,12 @@ fi
%{_datadir}/locale/*/LC_MESSAGES/bison-gnulib.mo
%changelog
* Fri Jul 15 2022 fuanan <fuanan3@h-partners.com> - 3.8.2-3
- Type:CVE
- ID:CVE-2020-24240
- SUG:NA
- DESC:Fix CVE-2020-24240
* Mon Apr 19 2021 panxiaohe <panxiaohe@huawei.com> - 3.6.4-2
- Type:enhancement
- ID:NA