2 files changed, 58 insertions, 0 deletions
diff --git a/meta/recipes-extended/screen/screen/0001-Fix-stack-overflow-due-to-too-deep-recursion.patch b/meta/recipes-extended/screen/screen/0001-Fix-stack-overflow-due-to-too-deep-recursion.patch
new file mode 100644
index 0000000000..2bc9a59bea
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/0001-Fix-stack-overflow-due-to-too-deep-recursion.patch
@@ -0,0 +1,57 @@
+Bug: 45713
+How to reproduce:
+Run this command inside screen
+$ printf '\x1b[10000000T'
+screen will recursively call MScrollV to depth n/256.
+This is time consuming and will overflow stack if n is huge.
+Fixes CVE-2015-6806
+Upstream-Status: Backport
+Signed-off-by: Kuang-che Wu <kcwu@csie.org>
+Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
+Signed-off-by: Maxin B. John <maxin.john@intel.com>
+---
+diff -Naur screen-4.3.1-orig/ansi.c screen-4.3.1/ansi.c
+--- screen-4.3.1-orig/ansi.c    2015-06-29 00:22:55.000000000 +0300
+++ screen-4.3.1/ansi.c 2015-10-06 13:13:58.297648039 +0300
+@@ -2502,13 +2502,13 @@
+     return;
+   if (n > 0)
+     {
+      if (ye - ys + 1 < n)
+         n = ye - ys + 1;
+       if (n > 256)
+        {
+          MScrollV(p, n - 256, ys, ye, bce);
+          n = 256;
+        }
+-      if (ye - ys + 1 < n)
+-       n = ye - ys + 1;
+ #ifdef COPY_PASTE
+       if (compacthist)
+        {
+@@ -2562,15 +2562,15 @@
+     }
+   else
+     {
+-      if (n < -256)
+-       {
+-         MScrollV(p, n + 256, ys, ye, bce);
+-         n = -256;
+-       }
+       n = -n;
+       if (ye - ys + 1 < n)
+        n = ye - ys + 1;
+ 
+      if (n > 256)
+      {
+        MScrollV(p, - (n - 256), ys, ye, bce);
+        n = 256;
+      }
+       ml = p->w_mlines + ye;
+       /* Clear lines */
+       for (i = ye; i > ye - n; i--, ml--)
diff --git a/meta/recipes-extended/screen/screen_4.3.1.bb b/meta/recipes-extended/screen/screen_4.3.1.bb
index 92457af171..00d878b2c1 100644
--- a/meta/recipes-extended/screen/screen_4.3.1.bb
+++ b/meta/recipes-extended/screen/screen_4.3.1.bb
@@ -24,6 +24,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
           file://Avoid-mis-identifying-systems-as-SVR4.patch \
           file://0001-fix-for-multijob-build.patch \
           file://0002-comm.h-now-depends-on-term.h.patch \
+           file://0001-Fix-stack-overflow-due-to-too-deep-recursion.patch \
          "
 SRC_URI[md5sum] = "5bb3b0ff2674e29378c31ad3411170ad"

diff --git a/meta/recipes-extended/screen/screen/0001-Fix-stack-overflow-due-to-too-deep-recursion.patch b/meta/recipes-extended/screen/screen/0001-Fix-stack-overflow-due-to-too-deep-recursion.patch new file mode 100644 index 0000000000..2bc9a59bea --- /dev/null +++ b/meta/recipes-extended/screen/screen/0001-Fix-stack-overflow-due-to-too-deep-recursion.patch
@@ -0,0 +1,57 @@
		1	Bug: 45713
		2
		3	How to reproduce:
		4	Run this command inside screen
		5	$ printf '\x1b[10000000T'
		6
		7	screen will recursively call MScrollV to depth n/256.
		8	This is time consuming and will overflow stack if n is huge.
		9
		10	Fixes CVE-2015-6806
		11
		12	Upstream-Status: Backport
		13
		14	Signed-off-by: Kuang-che Wu <kcwu@csie.org>
		15	Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
		16	Signed-off-by: Maxin B. John <maxin.john@intel.com>
		17	---
		18	diff -Naur screen-4.3.1-orig/ansi.c screen-4.3.1/ansi.c
		19	--- screen-4.3.1-orig/ansi.c 2015-06-29 00:22:55.000000000 +0300
		20	+++ screen-4.3.1/ansi.c 2015-10-06 13:13:58.297648039 +0300
		21	@@ -2502,13 +2502,13 @@
		22	return;
		23	if (n > 0)
		24	{
		25	+ if (ye - ys + 1 < n)
		26	+ n = ye - ys + 1;
		27	if (n > 256)
		28	{
		29	MScrollV(p, n - 256, ys, ye, bce);
		30	n = 256;
		31	}
		32	- if (ye - ys + 1 < n)
		33	- n = ye - ys + 1;
		34	#ifdef COPY_PASTE
		35	if (compacthist)
		36	{
		37	@@ -2562,15 +2562,15 @@
		38	}
		39	else
		40	{
		41	- if (n < -256)
		42	- {
		43	- MScrollV(p, n + 256, ys, ye, bce);
		44	- n = -256;
		45	- }
		46	n = -n;
		47	if (ye - ys + 1 < n)
		48	n = ye - ys + 1;
		49
		50	+ if (n > 256)
		51	+ {
		52	+ MScrollV(p, - (n - 256), ys, ye, bce);
		53	+ n = 256;
		54	+ }
		55	ml = p->w_mlines + ye;
		56	/* Clear lines */
		57	for (i = ye; i > ye - n; i--, ml--)


diff --git a/meta/recipes-extended/screen/screen_4.3.1.bb b/meta/recipes-extended/screen/screen_4.3.1.bb index 92457af171..00d878b2c1 100644 --- a/meta/recipes-extended/screen/screen_4.3.1.bb +++ b/meta/recipes-extended/screen/screen_4.3.1.bb
@@ -24,6 +24,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
24	file://Avoid-mis-identifying-systems-as-SVR4.patch \	24	file://Avoid-mis-identifying-systems-as-SVR4.patch \
25	file://0001-fix-for-multijob-build.patch \	25	file://0001-fix-for-multijob-build.patch \
26	file://0002-comm.h-now-depends-on-term.h.patch \	26	file://0002-comm.h-now-depends-on-term.h.patch \
		27	file://0001-Fix-stack-overflow-due-to-too-deep-recursion.patch \
27	"	28	"
28		29
29	SRC_URI[md5sum] = "5bb3b0ff2674e29378c31ad3411170ad"	30	SRC_URI[md5sum] = "5bb3b0ff2674e29378c31ad3411170ad"