forked from pool/MozillaFirefox
77 lines
2.8 KiB
Diff
77 lines
2.8 KiB
Diff
|
# HG changeset patch
|
||
|
# Parent c8e8364b303892fdb5a574b96411d2d8f699a15e
|
||
|
Patch lexical parser files generated by flex which may be potentially
|
||
|
exploitable in a buffer overrun. These seem to come from an upstream projects
|
||
|
(CMU Sphinx and ANGLE) so it should be fixed there in the first place.
|
||
|
|
||
|
CVE-2016-6354
|
||
|
|
||
|
https://bugzilla.suse.com/show_bug.cgi?id=990856
|
||
|
|
||
|
diff --git a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp
|
||
|
--- a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp
|
||
|
+++ b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp
|
||
|
@@ -1375,17 +1375,17 @@ static int yy_get_next_buffer (yyscan_t
|
||
|
if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
|
||
|
/* don't do the read, it's not guaranteed to return an EOF,
|
||
|
* just force an EOF
|
||
|
*/
|
||
|
YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0;
|
||
|
|
||
|
else
|
||
|
{
|
||
|
- yy_size_t num_to_read =
|
||
|
+ int num_to_read =
|
||
|
YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
|
||
|
|
||
|
while ( num_to_read <= 0 )
|
||
|
{ /* Not enough room in the buffer - grow it. */
|
||
|
|
||
|
/* just a shorter name for the current buffer */
|
||
|
YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE;
|
||
|
|
||
|
diff --git a/gfx/angle/src/compiler/translator/glslang_lex.cpp b/gfx/angle/src/compiler/translator/glslang_lex.cpp
|
||
|
--- a/gfx/angle/src/compiler/translator/glslang_lex.cpp
|
||
|
+++ b/gfx/angle/src/compiler/translator/glslang_lex.cpp
|
||
|
@@ -2269,17 +2269,17 @@ static int yy_get_next_buffer (yyscan_t
|
||
|
if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
|
||
|
/* don't do the read, it's not guaranteed to return an EOF,
|
||
|
* just force an EOF
|
||
|
*/
|
||
|
YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0;
|
||
|
|
||
|
else
|
||
|
{
|
||
|
- yy_size_t num_to_read =
|
||
|
+ int num_to_read =
|
||
|
YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
|
||
|
|
||
|
while ( num_to_read <= 0 )
|
||
|
{ /* Not enough room in the buffer - grow it. */
|
||
|
|
||
|
/* just a shorter name for the current buffer */
|
||
|
YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE;
|
||
|
|
||
|
diff --git a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c
|
||
|
--- a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c
|
||
|
+++ b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c
|
||
|
@@ -1242,17 +1242,17 @@ static int yy_get_next_buffer (yyscan_t
|
||
|
if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
|
||
|
/* don't do the read, it's not guaranteed to return an EOF,
|
||
|
* just force an EOF
|
||
|
*/
|
||
|
YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0;
|
||
|
|
||
|
else
|
||
|
{
|
||
|
- yy_size_t num_to_read =
|
||
|
+ int num_to_read =
|
||
|
YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
|
||
|
|
||
|
while ( num_to_read <= 0 )
|
||
|
{ /* Not enough room in the buffer - grow it. */
|
||
|
|
||
|
/* just a shorter name for the current buffer */
|
||
|
YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE;
|
||
|
|