pool/mujs
SHA256
9
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c0ced922775654d444e472f23ca38068a90af6c24b40c0cec6541a829ab34dc4
mujs/mujs-1.2.0-stack-exhaustion.patch
Илья Индиго 3d5cb00c3c Accepting request 977972 from home:13ilya:branches:devel:languages:javascript 
Added mujs-1.2.0-stack-exhaustion.patch (CVE-2022-30974, boo#1199678).

OBS-URL: https://build.opensuse.org/request/show/977972
OBS-URL: https://build.opensuse.org/package/show/devel:languages:javascript/mujs?expand=0&rev=12
2022-05-18 15:52:38 +00:00

90 lines
2.6 KiB
Diff
Raw Blame History

diff -Pdpru mujs-1.2.0.orig/jsdump.c mujs-1.2.0/jsdump.c
--- mujs-1.2.0.orig/jsdump.c 2021-12-08 14:56:12.000000000 +0300
+++ mujs-1.2.0/jsdump.c 2022-05-18 18:37:44.522227643 +0300
@@ -682,11 +682,13 @@ static void pstmlist(int d, js_Ast *list
void jsP_dumpsyntax(js_State *J, js_Ast *prog, int dominify)
{
minify = dominify;
- if (prog->type == AST_LIST)
- pstmlist(-1, prog);
- else {
- pstm(0, prog);
- nl();
+ if (prog) {
+ if (prog->type == AST_LIST)
+ pstmlist(-1, prog);
+ else {
+ pstm(0, prog);
+ nl();
+ }
}
if (minify > 1)
putchar('\n');
@@ -768,11 +770,13 @@ static void sblock(int d, js_Ast *list)
void jsP_dumplist(js_State *J, js_Ast *prog)
{
minify = 0;
- if (prog->type == AST_LIST)
- sblock(0, prog);
- else
- snode(0, prog);
- nl();
+ if (prog) {
+ if (prog->type == AST_LIST)
+ sblock(0, prog);
+ else
+ snode(0, prog);
+ nl();
+ }
}
/* Compiled code */
diff -Pdpru mujs-1.2.0.orig/regexp.c mujs-1.2.0/regexp.c
--- mujs-1.2.0.orig/regexp.c 2021-12-08 14:56:12.000000000 +0300
+++ mujs-1.2.0/regexp.c 2022-05-18 18:32:24.114001044 +0300
@@ -622,25 +622,26 @@ struct Reinst {
Reinst *y;
};
-static int count(struct cstate *g, Renode *node)
+static int count(struct cstate *g, Renode *node, int depth)
{
int min, max, n;
if (!node) return 0;
+ if (++depth > REG_MAXREC) die(g, "stack overflow");
switch (node->type) {
default: return 1;
- case P_CAT: return count(g, node->x) + count(g, node->y);
- case P_ALT: return count(g, node->x) + count(g, node->y) + 2;
+ case P_CAT: return count(g, node->x, depth) + count(g, node->y, depth);
+ case P_ALT: return count(g, node->x, depth) + count(g, node->y, depth) + 2;
case P_REP:
min = node->m;
max = node->n;
- if (min == max) n = count(g, node->x) * min;
- else if (max < REPINF) n = count(g, node->x) * max + (max - min);
- else n = count(g, node->x) * (min + 1) + 2;
+ if (min == max) n = count(g, node->x, depth) * min;
+ else if (max < REPINF) n = count(g, node->x, depth) * max + (max - min);
+ else n = count(g, node->x, depth) * (min + 1) + 2;
if (n < 0 || n > REG_MAXPROG) die(g, "program too large");
return n;
- case P_PAR: return count(g, node->x) + 2;
- case P_PLA: return count(g, node->x) + 2;
- case P_NLA: return count(g, node->x) + 2;
+ case P_PAR: return count(g, node->x, depth) + 2;
+ case P_PLA: return count(g, node->x, depth) + 2;
+ case P_NLA: return count(g, node->x, depth) + 2;
}
}
@@ -903,7 +904,7 @@ Reprog *regcompx(void *(*alloc)(void *ct
putchar('\n');
#endif
- n = 6 + count(&g, node);
+ n = 6 + count(&g, node, 0);
if (n < 0 || n > REG_MAXPROG)
die(&g, "program too large");
Reference in New Issue View Git Blame Copy Permalink