indent: fix CVE-2024-0911

Backport a fix from upstream to resolve CVE-2024-0911 https://git.savannah.gnu.org/git/indent.git feb2b646e6c3a05018e132515c5eda98ca13d50d (cherry picked from commit 26ef6a9c2da06b7de4116c483f9197fd4cf2a4cb) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: hongxu <hongxu.jia@eng.windriver.com> 2025-09-27 12:27:18 +0200
committer: Khem Raj <raj.khem@gmail.com> 2025-09-27 16:18:14 -0700
commit: d1375d37ee514b8883836ca4437e11b013fc781e (patch)
tree: 3599e4b8d7c0f825275210c1233b904707d6e365
parent: 91ac7b0212113227829deda00c9a58a94d20fce7 (diff)
download: meta-openembedded-d1375d37ee514b8883836ca4437e11b013fc781e.tar.gz
2 files changed, 124 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/indent/indent/0001-Fix-a-heap-buffer-underread-in-set_buf_break.patch b/meta-oe/recipes-extended/indent/indent/0001-Fix-a-heap-buffer-underread-in-set_buf_break.patch
new file mode 100644
index 0000000000..9938b6ebed
--- /dev/null
+++ b/meta-oe/recipes-extended/indent/indent/0001-Fix-a-heap-buffer-underread-in-set_buf_break.patch
@@ -0,0 +1,123 @@
+From ec3ce4dce7f0bc6f15e8a29eeb3776359e0750fb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 22 Nov 2024 17:27:21 +0800
+Subject: [PATCH] Fix a heap buffer underread in set_buf_break()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+If an opening parenthesis follows a comment with a text, a read from
+an invalid address happens in set_buf_break():
+    $ printf '/*a*/()' | valgrind -- ./src/indent - -o /dev/null
+    ==28887== Memcheck, a memory error detector
+    ==28887== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
+    ==28887== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
+    ==28887== Command: ./src/indent - -o /dev/null
+    ==28887==
+    ==28887== Invalid read of size 2
+    ==28887==    at 0x409989: set_buf_break (output.c:319)
+    ==28887==    by 0x401FE7: indent_main_loop (indent.c:640)
+    ==28887==    by 0x4022A7: indent (indent.c:759)
+    ==28887==    by 0x40294E: indent_single_file (indent.c:1004)
+    ==28887==    by 0x402A1C: indent_all (indent.c:1042)
+    ==28887==    by 0x402BD0: main (indent.c:1123)
+    ==28887==  Address 0x4a5facc is 4 bytes before a block of size 16 alloc'd
+    ==28887==    at 0x4849E60: calloc (vg_replace_malloc.c:1595)
+    ==28887==    by 0x408B61: xmalloc (globs.c:42)
+    ==28887==    by 0x40765E: init_parser (parse.c:73)
+    ==28887==    by 0x402B1F: main (indent.c:1101)
+It happens when checking an indentation level of the outer scope by indexing
+parser_state_tos->paren_indents[]:
+    level = parser_state_tos->p_l_follow;
+    [...]
+    /* Did we just parse a bracket that will be put on the next line
+     * by this line break? */
+    if ((*token == '(') || (*token == '['))
+        --level;    /* then don't take it into account */
+    [...]
+    if (level == 0) {
+    } else {
+→       if (parser_state_tos->paren_indents[level - 1] < 0) {...}
+    }
+The cause is a special case for moving opening parentheses and
+brackets to a next line. If parser_state_tos->p_l_follow is zero
+(like in the reproducer), the index evaluates to -2 and goes out of
+range of the paren_indents array.
+This patch simply prevents from decreasing the index under zero when
+formating the code. Maybe it leaves some piece of code unformated, but
+it's safe.
+I checked all places where p_l_follow is set (it is only in
+handletoken.c) and they corretly prevent from decrasing it under
+zero. That keeps set_buf_break() in output.c as the culprit.
+<https://lists.gnu.org/archive/html/bug-indent/2024-01/msg00000.html>
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+CVE: CVE-2024-0911
+Upstream-Status: Backport [feb2b646e6c3a05018e132515c5eda98ca13d50d
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ regression/TEST                                     | 2 +-
+ regression/input/comment-parent-heap-underread.c    | 3 +++
+ regression/standard/comment-parent-heap-underread.c | 5 +++++
+ src/output.c                                        | 2 +-
+ 4 files changed, 10 insertions(+), 2 deletions(-)
+ create mode 100644 regression/input/comment-parent-heap-underread.c
+ create mode 100644 regression/standard/comment-parent-heap-underread.c
+diff --git a/regression/TEST b/regression/TEST
+index a76c112..0888a18 100755
+--- a/regression/TEST
+++ b/regression/TEST
+@@ -38,7 +38,7 @@ BUGS="case-label.c one-line-1.c one-line-2.c one-line-3.c \
+         macro.c enum.c elif.c nested.c wrapped-string.c minus_predecrement.c \
+         bug-gnu-33364.c float-constant-suffix.c block-comments.c \
+         no-forced-nl-in-block-init.c hexadecimal_float.c \
+-        comment-heap-overread.c"
+        comment-heap-overread.c comment-parent-heap-underread.c"
+ 
+ INDENTSRC="args.c backup.h backup.c dirent_def.h globs.c indent.h \
+         indent.c indent_globs.h io.c lexi.c memcpy.c parse.c pr_comment.c \
+diff --git a/regression/input/comment-parent-heap-underread.c b/regression/input/comment-parent-heap-underread.c
+new file mode 100644
+index 0000000..68e13cf
+--- /dev/null
+++ b/regression/input/comment-parent-heap-underread.c
+@@ -0,0 +1,3 @@
+void foo(void) {
+/*a*/(1);
+}
+diff --git a/regression/standard/comment-parent-heap-underread.c b/regression/standard/comment-parent-heap-underread.c
+new file mode 100644
+index 0000000..9a1c6e3
+--- /dev/null
+++ b/regression/standard/comment-parent-heap-underread.c
+@@ -0,0 +1,5 @@
+void
+foo (void)
+{
+/*a*/ (1);
+}
+diff --git a/src/output.c b/src/output.c
+index 5b92167..b8a4961 100644
+--- a/src/output.c
+++ b/src/output.c
+@@ -290,7 +290,7 @@ void set_buf_break (
+     /* Did we just parse a bracket that will be put on the next line
+      * by this line break? */
+ 
+-    if ((*token == '(') || (*token == '['))
+    if (level > 0 && ((*token == '(') || (*token == '[')))
+     {
+         --level;                        /* then don't take it into account */
+     }
+-- 
+2.34.1
diff --git a/meta-oe/recipes-extended/indent/indent_2.2.12.bb b/meta-oe/recipes-extended/indent/indent_2.2.12.bb
index 2326f47b44..000abe4447 100644
--- a/meta-oe/recipes-extended/indent/indent_2.2.12.bb
+++ b/meta-oe/recipes-extended/indent/indent_2.2.12.bb
@@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \
           file://0001-Remove-dead-paren_level-code.patch \
           file://CVE-2023-40305_0001.patch \
           file://CVE-2023-40305_0002.patch \
+           file://0001-Fix-a-heap-buffer-underread-in-set_buf_break.patch \
           "
 SRC_URI[sha256sum] = "e77d68c0211515459b8812118d606812e300097cfac0b4e9fb3472664263bb8b"
author	hongxu <hongxu.jia@eng.windriver.com>	2025-09-27 12:27:18 +0200
committer	Khem Raj <raj.khem@gmail.com>	2025-09-27 16:18:14 -0700
commit	d1375d37ee514b8883836ca4437e11b013fc781e (patch)
tree	3599e4b8d7c0f825275210c1233b904707d6e365
parent	91ac7b0212113227829deda00c9a58a94d20fce7 (diff)
download	meta-openembedded-d1375d37ee514b8883836ca4437e11b013fc781e.tar.gz

diff --git a/meta-oe/recipes-extended/indent/indent/0001-Fix-a-heap-buffer-underread-in-set_buf_break.patch b/meta-oe/recipes-extended/indent/indent/0001-Fix-a-heap-buffer-underread-in-set_buf_break.patch new file mode 100644 index 0000000000..9938b6ebed --- /dev/null +++ b/meta-oe/recipes-extended/indent/indent/0001-Fix-a-heap-buffer-underread-in-set_buf_break.patch
@@ -0,0 +1,123 @@
		1	From ec3ce4dce7f0bc6f15e8a29eeb3776359e0750fb Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
		3	Date: Fri, 22 Nov 2024 17:27:21 +0800
		4	Subject: [PATCH] Fix a heap buffer underread in set_buf_break()
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	If an opening parenthesis follows a comment with a text, a read from
		10	an invalid address happens in set_buf_break():
		11
		12	$ printf '/a/()' \| valgrind -- ./src/indent - -o /dev/null
		13	==28887== Memcheck, a memory error detector
		14	==28887== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
		15	==28887== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
		16	==28887== Command: ./src/indent - -o /dev/null
		17	==28887==
		18	==28887== Invalid read of size 2
		19	==28887== at 0x409989: set_buf_break (output.c:319)
		20	==28887== by 0x401FE7: indent_main_loop (indent.c:640)
		21	==28887== by 0x4022A7: indent (indent.c:759)
		22	==28887== by 0x40294E: indent_single_file (indent.c:1004)
		23	==28887== by 0x402A1C: indent_all (indent.c:1042)
		24	==28887== by 0x402BD0: main (indent.c:1123)
		25	==28887== Address 0x4a5facc is 4 bytes before a block of size 16 alloc'd
		26	==28887== at 0x4849E60: calloc (vg_replace_malloc.c:1595)
		27	==28887== by 0x408B61: xmalloc (globs.c:42)
		28	==28887== by 0x40765E: init_parser (parse.c:73)
		29	==28887== by 0x402B1F: main (indent.c:1101)
		30
		31	It happens when checking an indentation level of the outer scope by indexing
		32	parser_state_tos->paren_indents[]:
		33
		34	level = parser_state_tos->p_l_follow;
		35	[...]
		36	/* Did we just parse a bracket that will be put on the next line
		37	* by this line break? */
		38	if ((token == '(') \|\| (token == '['))
		39	--level; /* then don't take it into account */
		40	[...]
		41	if (level == 0) {
		42	} else {
		43	→ if (parser_state_tos->paren_indents[level - 1] < 0) {...}
		44	}
		45
		46	The cause is a special case for moving opening parentheses and
		47	brackets to a next line. If parser_state_tos->p_l_follow is zero
		48	(like in the reproducer), the index evaluates to -2 and goes out of
		49	range of the paren_indents array.
		50
		51	This patch simply prevents from decreasing the index under zero when
		52	formating the code. Maybe it leaves some piece of code unformated, but
		53	it's safe.
		54
		55	I checked all places where p_l_follow is set (it is only in
		56	handletoken.c) and they corretly prevent from decrasing it under
		57	zero. That keeps set_buf_break() in output.c as the culprit.
		58
		59	<https://lists.gnu.org/archive/html/bug-indent/2024-01/msg00000.html>
		60
		61	Signed-off-by: Petr Písař <ppisar@redhat.com>
		62
		63	CVE: CVE-2024-0911
		64	Upstream-Status: Backport [feb2b646e6c3a05018e132515c5eda98ca13d50d
		65	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
		66	---
		67	regression/TEST \| 2 +-
		68	regression/input/comment-parent-heap-underread.c \| 3 +++
		69	regression/standard/comment-parent-heap-underread.c \| 5 +++++
		70	src/output.c \| 2 +-
		71	4 files changed, 10 insertions(+), 2 deletions(-)
		72	create mode 100644 regression/input/comment-parent-heap-underread.c
		73	create mode 100644 regression/standard/comment-parent-heap-underread.c
		74
		75	diff --git a/regression/TEST b/regression/TEST
		76	index a76c112..0888a18 100755
		77	--- a/regression/TEST
		78	+++ b/regression/TEST
		79	@@ -38,7 +38,7 @@ BUGS="case-label.c one-line-1.c one-line-2.c one-line-3.c \
		80	macro.c enum.c elif.c nested.c wrapped-string.c minus_predecrement.c \
		81	bug-gnu-33364.c float-constant-suffix.c block-comments.c \
		82	no-forced-nl-in-block-init.c hexadecimal_float.c \
		83	- comment-heap-overread.c"
		84	+ comment-heap-overread.c comment-parent-heap-underread.c"
		85
		86	INDENTSRC="args.c backup.h backup.c dirent_def.h globs.c indent.h \
		87	indent.c indent_globs.h io.c lexi.c memcpy.c parse.c pr_comment.c \
		88	diff --git a/regression/input/comment-parent-heap-underread.c b/regression/input/comment-parent-heap-underread.c
		89	new file mode 100644
		90	index 0000000..68e13cf
		91	--- /dev/null
		92	+++ b/regression/input/comment-parent-heap-underread.c
		93	@@ -0,0 +1,3 @@
		94	+void foo(void) {
		95	+/a/(1);
		96	+}
		97	diff --git a/regression/standard/comment-parent-heap-underread.c b/regression/standard/comment-parent-heap-underread.c
		98	new file mode 100644
		99	index 0000000..9a1c6e3
		100	--- /dev/null
		101	+++ b/regression/standard/comment-parent-heap-underread.c
		102	@@ -0,0 +1,5 @@
		103	+void
		104	+foo (void)
		105	+{
		106	+/a/ (1);
		107	+}
		108	diff --git a/src/output.c b/src/output.c
		109	index 5b92167..b8a4961 100644
		110	--- a/src/output.c
		111	+++ b/src/output.c
		112	@@ -290,7 +290,7 @@ void set_buf_break (
		113	/* Did we just parse a bracket that will be put on the next line
		114	* by this line break? */
		115
		116	- if ((token == '(') \|\| (token == '['))
		117	+ if (level > 0 && ((token == '(') \|\| (token == '[')))
		118	{
		119	--level; /* then don't take it into account */
		120	}
		121	--
		122	2.34.1
		123


diff --git a/meta-oe/recipes-extended/indent/indent_2.2.12.bb b/meta-oe/recipes-extended/indent/indent_2.2.12.bb index 2326f47b44..000abe4447 100644 --- a/meta-oe/recipes-extended/indent/indent_2.2.12.bb +++ b/meta-oe/recipes-extended/indent/indent_2.2.12.bb
@@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \
19	file://0001-Remove-dead-paren_level-code.patch \	19	file://0001-Remove-dead-paren_level-code.patch \
20	file://CVE-2023-40305_0001.patch \	20	file://CVE-2023-40305_0001.patch \
21	file://CVE-2023-40305_0002.patch \	21	file://CVE-2023-40305_0002.patch \
		22	file://0001-Fix-a-heap-buffer-underread-in-set_buf_break.patch \
22	"	23	"
23	SRC_URI[sha256sum] = "e77d68c0211515459b8812118d606812e300097cfac0b4e9fb3472664263bb8b"	24	SRC_URI[sha256sum] = "e77d68c0211515459b8812118d606812e300097cfac0b4e9fb3472664263bb8b"
24		25