pkgsrc-WIP-changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

libvterm: adapt fix for CVE-2018-20786 from vim



Module Name:	pkgsrc-wip
Committed By:	Claes Nästén <pekdon%gmail.com@localhost>
Pushed By:	pekdon
Date:		Sun Mar 13 07:29:12 2022 +0100
Changeset:	deb7f79e40c02c3744d84b78a596dcef74d81e26

Modified Files:
	libvterm/distinfo
Added Files:
	libvterm/patches/patch-src_screen.c
	libvterm/patches/patch-src_state.c
	libvterm/patches/patch-src_vterm.c
Removed Files:
	libvterm/TODO

Log Message:
libvterm: adapt fix for CVE-2018-20786 from vim

Adapt fix from vim commit cd929f7ba8cc5b6d6dcf35c8b34124e969fed6b8
with the addition of checking tmpbuffer allocation in
vterm_new_with_allocator

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=deb7f79e40c02c3744d84b78a596dcef74d81e26

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 libvterm/TODO                       |  2 -
 libvterm/distinfo                   |  3 ++
 libvterm/patches/patch-src_screen.c | 76 +++++++++++++++++++++++++++++++++++++
 libvterm/patches/patch-src_state.c  | 34 +++++++++++++++++
 libvterm/patches/patch-src_vterm.c  | 66 ++++++++++++++++++++++++++++++++
 5 files changed, 179 insertions(+), 2 deletions(-)

diffs:
diff --git a/libvterm/TODO b/libvterm/TODO
deleted file mode 100644
index eb027e609f..0000000000
--- a/libvterm/TODO
+++ /dev/null
@@ -1,2 +0,0 @@
-This package has known vulnerabilities, please investigate and fix if possible:
-  CVE-2018-20786
diff --git a/libvterm/distinfo b/libvterm/distinfo
index 30c93fa185..aee6362002 100644
--- a/libvterm/distinfo
+++ b/libvterm/distinfo
@@ -3,3 +3,6 @@ $NetBSD$
 RMD160 (libvterm-0.1.4.tar.gz) = 827234390d2ac60377786c896808736827cbfbee
 SHA512 (libvterm-0.1.4.tar.gz) = 90b5d47417e3f469df5c6574a27d12bd6bd1571d17cab7c4ac0ee61b1dbcb6361987f6fdfd11e314ea32f8958ec165c319a34d0f77288947c7cbc11de697d524
 Size (libvterm-0.1.4.tar.gz) = 69122 bytes
+SHA1 (patch-src_screen.c) = c41f68d526cd7f1b8a625be6a9a2e4a6adfe5ee6
+SHA1 (patch-src_state.c) = ada2ea37ec6642039011b55557b38cfb88f37cc6
+SHA1 (patch-src_vterm.c) = 5dc781dfe804f13f1b0a0f8b00bf24aa0f8804f2
diff --git a/libvterm/patches/patch-src_screen.c b/libvterm/patches/patch-src_screen.c
new file mode 100644
index 0000000000..bd4148e3b1
--- /dev/null
+++ b/libvterm/patches/patch-src_screen.c
@@ -0,0 +1,76 @@
+$NetBSD$
+
+CVE-2018-20786 fix from vim cd929f7ba8cc5b6d6dcf35c8b34124e969fed6b8
+
+--- src/screen.c.orig	2022-03-13 06:09:38.851039573 +0000
++++ src/screen.c
+@@ -94,8 +94,7 @@ static ScreenCell *realloc_buffer(VTermS
+     }
+   }
+ 
+-  if(buffer)
+-    vterm_allocator_free(screen->vt, buffer);
++  vterm_allocator_free(screen->vt, buffer);
+ 
+   return new_buffer;
+ }
+@@ -517,8 +516,7 @@ static int resize(int new_rows, int new_
+   screen->rows = new_rows;
+   screen->cols = new_cols;
+ 
+-  if(screen->sb_buffer)
+-    vterm_allocator_free(screen->vt, screen->sb_buffer);
++  vterm_allocator_free(screen->vt, screen->sb_buffer);
+ 
+   screen->sb_buffer = vterm_allocator_malloc(screen->vt, sizeof(VTermScreenCell) * new_cols);
+ 
+@@ -619,13 +617,19 @@ static VTermStateCallbacks state_cbs = {
+   .setlineinfo = &setlineinfo,
+ };
+ 
++/*
++ * Allocate a new screen and return it.
++ * Return NULL when out of memory.
++ */
+ static VTermScreen *screen_new(VTerm *vt)
+ {
+   VTermState *state = vterm_obtain_state(vt);
+-  if(!state)
++  if (state == NULL)
+     return NULL;
+ 
+   VTermScreen *screen = vterm_allocator_malloc(vt, sizeof(VTermScreen));
++  if (screen == NULL)
++    return NULL;
+   int rows, cols;
+ 
+   vterm_get_size(vt, &rows, &cols);
+@@ -644,10 +648,13 @@ static VTermScreen *screen_new(VTerm *vt
+   screen->cbdata    = NULL;
+ 
+   screen->buffers[0] = realloc_buffer(screen, NULL, rows, cols);
+-
+   screen->buffer = screen->buffers[0];
+-
+   screen->sb_buffer = vterm_allocator_malloc(screen->vt, sizeof(VTermScreenCell) * cols);
++  if (screen->buffer == NULL || screen->sb_buffer == NULL)
++  {
++    vterm_screen_free(screen);
++    return NULL;
++  }
+ 
+   vterm_state_set_callbacks(screen->state, &state_cbs, screen);
+ 
+@@ -657,11 +664,8 @@ static VTermScreen *screen_new(VTerm *vt
+ INTERNAL void vterm_screen_free(VTermScreen *screen)
+ {
+   vterm_allocator_free(screen->vt, screen->buffers[0]);
+-  if(screen->buffers[1])
+-    vterm_allocator_free(screen->vt, screen->buffers[1]);
+-
++  vterm_allocator_free(screen->vt, screen->buffers[1]);
+   vterm_allocator_free(screen->vt, screen->sb_buffer);
+-
+   vterm_allocator_free(screen->vt, screen);
+ }
+ 
diff --git a/libvterm/patches/patch-src_state.c b/libvterm/patches/patch-src_state.c
new file mode 100644
index 0000000000..06dbfda400
--- /dev/null
+++ b/libvterm/patches/patch-src_state.c
@@ -0,0 +1,34 @@
+$NetBSD$
+
+CVE-2018-20786 fix from vim cd929f7ba8cc5b6d6dcf35c8b34124e969fed6b8
+
+--- src/state.c.orig	2022-03-12 21:10:57.446471266 +0000
++++ src/state.c
+@@ -52,6 +52,8 @@ static VTermState *vterm_state_new(VTerm
+ {
+   VTermState *state = vterm_allocator_malloc(vt, sizeof(VTermState));
+ 
++  if (state == NULL)
++    return NULL;
+   state->vt = vt;
+ 
+   state->rows = vt->rows;
+@@ -1697,12 +1699,18 @@ static const VTermParserCallbacks parser
+   .resize  = on_resize,
+ };
+ 
++/*
++ * Return the existing state or create a new one.
++ * Returns NULL when out of memory.
++ */
+ VTermState *vterm_obtain_state(VTerm *vt)
+ {
+   if(vt->state)
+     return vt->state;
+ 
+   VTermState *state = vterm_state_new(vt);
++  if (state == NULL)
++    return NULL;
+   vt->state = state;
+ 
+   state->combine_chars_size = 16;
diff --git a/libvterm/patches/patch-src_vterm.c b/libvterm/patches/patch-src_vterm.c
new file mode 100644
index 0000000000..0550a4ad96
--- /dev/null
+++ b/libvterm/patches/patch-src_vterm.c
@@ -0,0 +1,66 @@
+$NetBSD$
+
+CVE-2018-20786 fix from vim cd929f7ba8cc5b6d6dcf35c8b34124e969fed6b8
+
+--- src/vterm.c.orig	2020-08-22 14:54:34.000000000 +0000
++++ src/vterm.c
+@@ -37,6 +37,8 @@ VTerm *vterm_new_with_allocator(int rows
+   /* Need to bootstrap using the allocator function directly */
+   VTerm *vt = (*funcs->malloc)(sizeof(VTerm), allocdata);
+ 
++  if (vt == NULL)
++    return NULL;
+   vt->allocator = funcs;
+   vt->allocdata = allocdata;
+ 
+@@ -51,6 +53,12 @@ VTerm *vterm_new_with_allocator(int rows
+   vt->parser.strbuffer_len = 64;
+   vt->parser.strbuffer_cur = 0;
+   vt->parser.strbuffer = vterm_allocator_malloc(vt, vt->parser.strbuffer_len);
++  if (vt->parser.strbuffer == NULL)
++  {
++    vterm_allocator_free(vt, vt);
++    return NULL;
++  }
++ 
+ 
+   vt->outfunc = NULL;
+   vt->outdata = NULL;
+@@ -58,9 +66,22 @@ VTerm *vterm_new_with_allocator(int rows
+   vt->outbuffer_len = 64;
+   vt->outbuffer_cur = 0;
+   vt->outbuffer = vterm_allocator_malloc(vt, vt->outbuffer_len);
++  if (vt->outbuffer == NULL)
++  {
++    vterm_allocator_free(vt, vt->parser.strbuffer);
++    vterm_allocator_free(vt, vt);
++    return NULL;
++  }
+ 
+   vt->tmpbuffer_len = 64;
+   vt->tmpbuffer = vterm_allocator_malloc(vt, vt->tmpbuffer_len);
++  if (vt->tmpbuffer == NULL)
++  {
++    vterm_allocator_free(vt, vt->outbuffer);
++    vterm_allocator_free(vt, vt->parser.strbuffer);
++    vterm_allocator_free(vt, vt);
++    return NULL;
++  }
+ 
+   return vt;
+ }
+@@ -85,9 +106,13 @@ INTERNAL void *vterm_allocator_malloc(VT
+   return (*vt->allocator->malloc)(size, vt->allocdata);
+ }
+ 
++/*
++ * Free "ptr" unless it is NULL.
++ */
+ INTERNAL void vterm_allocator_free(VTerm *vt, void *ptr)
+ {
+-  (*vt->allocator->free)(ptr, vt->allocdata);
++  if (ptr)
++    (*vt->allocator->free)(ptr, vt->allocdata);
+ }
+ 
+ void vterm_get_size(const VTerm *vt, int *rowsp, int *colsp)


Home | Main Index | Thread Index | Old Index