CVS commit: pkgsrc/lang/quickjs

["Leonardo Taccari" <leot%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   leot
Date:           Wed Nov 12 11:58:20 UTC 2025

Modified Files:
        pkgsrc/lang/quickjs: Makefile distinfo
        pkgsrc/lang/quickjs/patches: patch-quickjs.c

Log Message:
quickjs: Backport patch to fix CVE-2025-12745

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 pkgsrc/lang/quickjs/Makefile
cvs rdiff -u -r1.13 -r1.14 pkgsrc/lang/quickjs/distinfo
cvs rdiff -u -r1.5 -r1.6 pkgsrc/lang/quickjs/patches/patch-quickjs.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/quickjs/Makefile
diff -u pkgsrc/lang/quickjs/Makefile:1.15 pkgsrc/lang/quickjs/Makefile:1.16
--- pkgsrc/lang/quickjs/Makefile:1.15   Wed Nov 12 11:49:38 2025
+++ pkgsrc/lang/quickjs/Makefile        Wed Nov 12 11:58:19 2025
@@ -1,10 +1,11 @@
-# $NetBSD: Makefile,v 1.15 2025/11/12 11:49:38 leot Exp $
+# $NetBSD: Makefile,v 1.16 2025/11/12 11:58:19 leot Exp $
 
 NAME=          quickjs
 QJS_DATE=      2025-09-13
 VERSION=       ${QJS_DATE:S/-//g}
 DISTNAME=      ${NAME}-${QJS_DATE}
 PKGNAME=       ${NAME}-${VERSION}
+PKGREVISION=   1
 CATEGORIES=    lang
 MASTER_SITES=  https://bellard.org/quickjs/
 EXTRACT_SUFX=  .tar.xz

Index: pkgsrc/lang/quickjs/distinfo
diff -u pkgsrc/lang/quickjs/distinfo:1.13 pkgsrc/lang/quickjs/distinfo:1.14
--- pkgsrc/lang/quickjs/distinfo:1.13   Wed Nov 12 11:49:38 2025
+++ pkgsrc/lang/quickjs/distinfo        Wed Nov 12 11:58:19 2025
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.13 2025/11/12 11:49:38 leot Exp $
+$NetBSD: distinfo,v 1.14 2025/11/12 11:58:19 leot Exp $
 
 BLAKE2s (quickjs-2025-09-13.tar.xz) = 1dd767416ef10f6f3be0ada60edd5c478e08a6df5813b345e7830038b1e416b0
 SHA512 (quickjs-2025-09-13.tar.xz) = 077acba8b318b19cd2660fae0ca03099185b688dba46c89a6456b455639813eefc282975cd1eebdb3c49f62217b9506c6abad86d777b08cb49fe234beef918a2
@@ -7,4 +7,4 @@ SHA1 (patch-Makefile) = c3f827f36e41ca78
 SHA1 (patch-qjs.c) = bfabed96cfdd40214fede3069485394af2faef4f
 SHA1 (patch-qjsc.c) = bffd0222579f3996bc21116694343a7dd65d8f33
 SHA1 (patch-quickjs-libc.c) = 39c2b553ef04b308e7c477590edd345b62acc528
-SHA1 (patch-quickjs.c) = 7e8b8e9370bea8c654fb766217a6021c245fcee9
+SHA1 (patch-quickjs.c) = 0bd06241a4262168124171adf7cf963809e74915

Index: pkgsrc/lang/quickjs/patches/patch-quickjs.c
diff -u pkgsrc/lang/quickjs/patches/patch-quickjs.c:1.5 pkgsrc/lang/quickjs/patches/patch-quickjs.c:1.6
--- pkgsrc/lang/quickjs/patches/patch-quickjs.c:1.5     Wed Nov 12 11:49:38 2025
+++ pkgsrc/lang/quickjs/patches/patch-quickjs.c Wed Nov 12 11:58:20 2025
@@ -1,6 +1,8 @@
-$NetBSD: patch-quickjs.c,v 1.5 2025/11/12 11:49:38 leot Exp $
+$NetBSD: patch-quickjs.c,v 1.6 2025/11/12 11:58:20 leot Exp $
 
-Portability patch for NetBSD.
+- Portability patch for NetBSD.
+- Backport commit c6fe5a98fd3ef3b7064e6e0145dfebfe12449fea to fix
+  CVE-2025-12745.
 
 --- quickjs.c.orig     2025-09-13 08:48:28.000000000 +0000
 +++ quickjs.c
@@ -29,3 +31,12 @@ Portability patch for NetBSD.
      return 0;
  #elif defined(__linux__) || defined(__GLIBC__)
      return malloc_usable_size((void *)ptr);
+@@ -52988,7 +52996,7 @@ static JSValue js_array_buffer_slice(JSC
+         goto fail;
+     }
+     /* must test again because of side effects */
+-    if (abuf->detached) {
++    if (abuf->detached || abuf->byte_length < start + new_len) {
+         JS_ThrowTypeErrorDetachedArrayBuffer(ctx);
+         goto fail;
+     }