mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-30 19:02:57 +00:00
grep: 2.21 -> 2.22
This commit is contained in:
parent
aff3a23d67
commit
b983c6b9b5
@ -1,60 +0,0 @@
|
|||||||
From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Yuliy Pisetsky <ypisetsky@fb.com>
|
|
||||||
Date: Thu, 01 Jan 2015 23:36:55 +0000
|
|
||||||
Subject: grep -F: fix a heap buffer (read) overrun
|
|
||||||
|
|
||||||
grep's read buffer is often filled to its full size, except when
|
|
||||||
reading the final buffer of a file. In that case, the number of
|
|
||||||
bytes read may be far less than the size of the buffer. However, for
|
|
||||||
certain unusual pattern/text combinations, grep -F would mistakenly
|
|
||||||
examine bytes in that uninitialized region of memory when searching
|
|
||||||
for a match. With carefully chosen inputs, one can cause grep -F to
|
|
||||||
read beyond the end of that buffer altogether. This problem arose via
|
|
||||||
commit v2.18-90-g73893ff with the introduction of a more efficient
|
|
||||||
heuristic using what is now the memchr_kwset function. The use of
|
|
||||||
that function in bmexec_trans could leave TP much larger than EP,
|
|
||||||
and the subsequent call to bm_delta2_search would mistakenly access
|
|
||||||
beyond end of the main input read buffer.
|
|
||||||
|
|
||||||
* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP,
|
|
||||||
do not call bm_delta2_search.
|
|
||||||
* tests/kwset-abuse: New file.
|
|
||||||
* tests/Makefile.am (TESTS): Add it.
|
|
||||||
* THANKS.in: Update.
|
|
||||||
* NEWS (Bug fixes): Mention it.
|
|
||||||
|
|
||||||
Prior to this patch, this command would trigger a UMR:
|
|
||||||
|
|
||||||
printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0)
|
|
||||||
|
|
||||||
Use of uninitialised value of size 8
|
|
||||||
at 0x4142BE: bmexec_trans (kwset.c:657)
|
|
||||||
by 0x4143CA: bmexec (kwset.c:678)
|
|
||||||
by 0x414973: kwsexec (kwset.c:848)
|
|
||||||
by 0x414DC4: Fexecute (kwsearch.c:128)
|
|
||||||
by 0x404E2E: grepbuf (grep.c:1238)
|
|
||||||
by 0x4054BF: grep (grep.c:1417)
|
|
||||||
by 0x405CEB: grepdesc (grep.c:1645)
|
|
||||||
by 0x405EC1: grep_command_line_arg (grep.c:1692)
|
|
||||||
by 0x4077D4: main (grep.c:2570)
|
|
||||||
|
|
||||||
See the accompanying test for how to trigger the heap buffer overrun.
|
|
||||||
|
|
||||||
Thanks to Nima Aghdaii for testing and finding numerous
|
|
||||||
ways to break early iterations of this patch.
|
|
||||||
|
|
||||||
Nix: @vcunat restricted this to the runtime code only to avoid needing autoreconfiguration.
|
|
||||||
---
|
|
||||||
diff --git a/src/kwset.c b/src/kwset.c
|
|
||||||
index 4003c8d..376f7c3 100644
|
|
||||||
--- a/src/kwset.c
|
|
||||||
+++ b/src/kwset.c
|
|
||||||
@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size)
|
|
||||||
if (! tp)
|
|
||||||
return -1;
|
|
||||||
tp++;
|
|
||||||
+ if (ep <= tp)
|
|
||||||
+ break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,17 +1,17 @@
|
|||||||
{ stdenv, fetchurl, pcre, libiconv }:
|
{ stdenv, fetchurl, pcre, libiconv, perl }:
|
||||||
|
|
||||||
let version = "2.21"; in
|
let version = "2.22"; in
|
||||||
|
|
||||||
stdenv.mkDerivation {
|
stdenv.mkDerivation {
|
||||||
name = "gnugrep-${version}";
|
name = "gnugrep-${version}";
|
||||||
|
|
||||||
src = fetchurl {
|
src = fetchurl {
|
||||||
url = "mirror://gnu/grep/grep-${version}.tar.xz";
|
url = "mirror://gnu/grep/grep-${version}.tar.xz";
|
||||||
sha256 = "1pp5n15qwxrw1pibwjhhgsibyv5cafhamf8lwzjygs6y00fa2i2j";
|
sha256 = "1srn321x7whlhs5ks36zlcrrmj4iahll8fxwsh1vbz3v04px54fa";
|
||||||
};
|
};
|
||||||
|
|
||||||
patches = [ ./cve-2015-1345.patch ];
|
# Perl is needed for testing
|
||||||
|
nativeBuildInputs = [ perl ];
|
||||||
buildInputs = [ pcre libiconv ];
|
buildInputs = [ pcre libiconv ];
|
||||||
|
|
||||||
# cygwin: FAIL: multibyte-white-space
|
# cygwin: FAIL: multibyte-white-space
|
||||||
|
Loading…
Reference in New Issue
Block a user