diff options
| author |   Lars Wendler <polynomial-c@gentoo.org> | 2016-08-15 21:55:04 +0200 |
|---|---|---|
| committer | Lars Wendler <polynomial-c@gentoo.org> | 2016-08-15 21:55:18 +0200 |
| commit | 0ac0d1883b2fbb34f8b85995cf2ce651af4ef006 (patch) | |
| tree | 91e120561fde50ba985b796f76f901a6da1bd77f /sys-apps/diffutils/files | |
| parent | app-vim/gundo: Clean up old. (diff) | |
| download | gentoo-0ac0d1883b2fbb34f8b85995cf2ce651af4ef006.tar.gz gentoo-0ac0d1883b2fbb34f8b85995cf2ce651af4ef006.tar.bz2 gentoo-0ac0d1883b2fbb34f8b85995cf2ce651af4ef006.zip | |
sys-apps/diffutils: Revbump to fix use-after-free bug in diff3 (bug #591044).
Package-Manager: portage-2.3.0
Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Diffstat (limited to 'sys-apps/diffutils/files')
3 files changed, 198 insertions, 0 deletions
diff --git a/sys-apps/diffutils/files/diffutils-3.4-diff3_fix_leaks.patch b/sys-apps/diffutils/files/diffutils-3.4-diff3_fix_leaks.patch new file mode 100644 index 000000000000..fda8319c73c0 --- /dev/null +++ b/sys-apps/diffutils/files/diffutils-3.4-diff3_fix_leaks.patch @@ -0,0 +1,123 @@ +From edd942ca27d570a33d612b12eecaa33a76640e46 Mon Sep 17 00:00:00 2001 +From: Jim Meyering <meyering@fb.com> +Date: Fri, 12 Aug 2016 21:40:29 -0700 +Subject: diff3: fix leaks, for real + +* src/diff3.c (struct diff_block)[lint]: Add member, n2. +(free_diff_block, next_to_n2): New functions. +--- + +diff --git a/src/diff3.c b/src/diff3.c +index 0eb643e..b80aeb3 100644 +--- a/src/diff3.c ++++ b/src/diff3.c +@@ -78,6 +78,9 @@ struct diff_block { + char **lines[2]; /* The actual lines (may contain nulls) */ + size_t *lengths[2]; /* Line lengths (including newlines, if any) */ + struct diff_block *next; ++#ifdef lint ++ struct diff_block *n2; /* Used only when freeing. */ ++#endif + }; + + /* Three way diff */ +@@ -176,7 +179,7 @@ static struct diff3_block *create_diff3_block (lin, lin, lin, lin, lin, lin); + static struct diff3_block *make_3way_diff (struct diff_block *, struct diff_block *); + static struct diff3_block *reverse_diff3_blocklist (struct diff3_block *); + static struct diff3_block *using_to_diff3_block (struct diff_block *[2], struct diff_block *[2], int, int, struct diff3_block const *); +-static struct diff_block *process_diff (char const *, char const *, struct diff_block **); ++static struct diff_block *process_diff (char const *, char const *, struct diff_block **, char **); + static void check_stdout (void); + static void fatal (char const *) __attribute__((noreturn)); + static void output_diff3 (FILE *, struct diff3_block *, int const[3], int const[3]); +@@ -212,6 +215,38 @@ static struct option const longopts[] = + {0, 0, 0, 0} + }; + ++static void ++free_diff_block (struct diff_block *p) ++{ ++#ifndef lint ++ (void)p; ++#else ++ while (p) ++ { ++ free (p->lines[0]); ++ free (p->lines[1]); ++ free (p->lengths[0]); ++ free (p->lengths[1]); ++ struct diff_block *next = p->n2; ++ free (p); ++ p = next; ++ } ++#endif ++} ++ ++/* Copy each next pointer to n2, since make_3way_diff would clobber the former, ++ yet we will still need something to free these buffers. */ ++static void ++next_to_n2 (struct diff_block *p) ++{ ++#ifndef lint ++ (void)p; ++#else ++ while (p) ++ p = p->n2 = p->next; ++#endif ++} ++ + int + main (int argc, char **argv) + { +@@ -377,10 +412,19 @@ main (int argc, char **argv) + /* Invoke diff twice on two pairs of input files, combine the two + diffs, and output them. */ + ++ char *b0, *b1; + commonname = file[rev_mapping[FILEC]]; +- thread1 = process_diff (file[rev_mapping[FILE1]], commonname, &last_block); +- thread0 = process_diff (file[rev_mapping[FILE0]], commonname, &last_block); ++ thread1 = process_diff (file[rev_mapping[FILE1]], commonname, &last_block, &b1); ++ thread0 = process_diff (file[rev_mapping[FILE0]], commonname, &last_block, &b0); ++ ++ next_to_n2 (thread0); ++ next_to_n2 (thread1); ++ + diff3 = make_3way_diff (thread0, thread1); ++ ++ free_diff_block (thread0); ++ free_diff_block (thread1); ++ + if (edscript) + conflicts_found + = output_diff3_edscript (stdout, diff3, mapping, rev_mapping, +@@ -400,6 +444,8 @@ main (int argc, char **argv) + conflicts_found = false; + } + ++ free (b0); ++ free (b1); + check_stdout (); + exit (conflicts_found); + } +@@ -938,7 +984,8 @@ compare_line_list (char * const list1[], size_t const lengths1[], + static struct diff_block * + process_diff (char const *filea, + char const *fileb, +- struct diff_block **last_block) ++ struct diff_block **last_block, ++ char **buf_to_free) + { + char *diff_contents; + char *diff_limit; +@@ -953,6 +1000,7 @@ process_diff (char const *filea, + sizeof *bptr->lengths[1])); + + diff_limit = read_diff (filea, fileb, &diff_contents); ++ *buf_to_free = diff_contents; + scan_diff = diff_contents; + + while (scan_diff < diff_limit) +-- +cgit v1.0 + diff --git a/sys-apps/diffutils/files/diffutils-3.4-diff3_use_after_free.patch b/sys-apps/diffutils/files/diffutils-3.4-diff3_use_after_free.patch new file mode 100644 index 000000000000..41a4b278d08b --- /dev/null +++ b/sys-apps/diffutils/files/diffutils-3.4-diff3_use_after_free.patch @@ -0,0 +1,26 @@ +From 1a0df4396ebe3b9a58b882bb976cfce3f50d3cac Mon Sep 17 00:00:00 2001 +From: Bastian Beischer <bastian.beischer@rwth-aachen.de> +Date: Sat, 13 Aug 2016 18:53:36 -0700 +Subject: diff3: fix heap use-after-free; add minimal diff3 test coverage + +Commit v3.3-42-g3b74a90, "FIXME: src/diff3: plug a leak" added an +invalid use of free, leading to use-after-free in nearly any invocation +of diff3. Revert that commit. +Reported by Bastian Beischer in http://bugs.gnu.org/24210 +--- + +diff --git a/src/diff3.c b/src/diff3.c +index 6ef90f4..0eb643e 100644 +--- a/src/diff3.c ++++ b/src/diff3.c +@@ -1039,7 +1039,6 @@ process_diff (char const *filea, + + *block_list_end = NULL; + *last_block = bptr; +- free (diff_contents); + return block_list; + } + +-- +cgit v1.0 + diff --git a/sys-apps/diffutils/files/diffutils-3.4-no_color_on_dumb_terms.patch b/sys-apps/diffutils/files/diffutils-3.4-no_color_on_dumb_terms.patch new file mode 100644 index 000000000000..33f81e4fa2aa --- /dev/null +++ b/sys-apps/diffutils/files/diffutils-3.4-no_color_on_dumb_terms.patch @@ -0,0 +1,49 @@ +From 697c1f4fa93ac971c487725e9e53fc211cd3c670 Mon Sep 17 00:00:00 2001 +From: Jim Meyering <meyering@fb.com> +Date: Mon, 8 Aug 2016 18:50:15 -0700 +Subject: diff: disable colorization for TERM=dumb + +* src/diff.c (main): With --color or --color=auto, when TERM is +"dumb", disable colorization. Suggested by Daniel Colascione. +* NEWS (Bug fixes): Mention it. +* tests/colors: Add a test that would fail without this change, +yet passes with it. +--- + +diff --git a/src/diff.c b/src/diff.c +index 9bc1d96..686945e 100644 +--- a/src/diff.c ++++ b/src/diff.c +@@ -656,6 +656,13 @@ main (int argc, char **argv) + prev = c; + } + ++ if (colors_style == AUTO) ++ { ++ char const *t = getenv ("TERM"); ++ if (t && STREQ (t, "dumb")) ++ colors_style = NEVER; ++ } ++ + if (output_style == OUTPUT_UNSPECIFIED) + { + if (show_c_function) +diff --git a/tests/colors b/tests/colors +index 3ad2206..8651a5b 100755 +--- a/tests/colors ++++ b/tests/colors +@@ -86,6 +86,11 @@ test $? = 1 || fail=1 + gen_exp_default > exp || framework_failure_ + compare exp out || fail=1 + ++TERM=dumb diff ---presume-output-tty --color=auto a b > out ++test $? = 1 || fail=1 ++gen_exp_default > exp || framework_failure_ ++compare exp out || fail=1 ++ + diff --color=never a b > out + test $? = 1 || fail=1 + gen_exp_default > exp || framework_failure_ +-- +cgit v1.0 + |