From 69c46730166dff540bf819b953cf168c196a2281 Mon Sep 17 00:00:00 2001 From: Henrik Grimler Date: Thu, 9 Sep 2021 09:42:35 +0200 Subject: [PATCH] newsboat: add upstream patch to fix buffer overflow This fixes issue with overflow when adding terminating null byte properly, without increasing buffer size. --- packages/newsboat/build.sh | 2 +- packages/newsboat/mbc-buffer-length-fix.patch | 21 ----------------- packages/newsboat/mbc_write.patch | 23 +++++++++++++++++++ 3 files changed, 24 insertions(+), 22 deletions(-) delete mode 100644 packages/newsboat/mbc-buffer-length-fix.patch create mode 100644 packages/newsboat/mbc_write.patch diff --git a/packages/newsboat/build.sh b/packages/newsboat/build.sh index c400e8eb3..784c9dcf5 100644 --- a/packages/newsboat/build.sh +++ b/packages/newsboat/build.sh @@ -3,7 +3,7 @@ TERMUX_PKG_DESCRIPTION="RSS/Atom feed reader for the text console" TERMUX_PKG_LICENSE="MIT" TERMUX_PKG_MAINTAINER="@termux" TERMUX_PKG_VERSION=2.24 -TERMUX_PKG_REVISION=1 +TERMUX_PKG_REVISION=2 TERMUX_PKG_SRCURL=https://newsboat.org/releases/${TERMUX_PKG_VERSION}/newsboat-${TERMUX_PKG_VERSION}.tar.xz TERMUX_PKG_SHA256=62420688cca25618859548d10ff6df9ac75b9cf766699f37edd3e324d67c6ffb TERMUX_PKG_DEPENDS="libc++, libiconv, libandroid-support, libandroid-glob, json-c, libsqlite, libcurl, libxml2, stfl, ncurses, openssl" diff --git a/packages/newsboat/mbc-buffer-length-fix.patch b/packages/newsboat/mbc-buffer-length-fix.patch deleted file mode 100644 index 8b239c6b1..000000000 --- a/packages/newsboat/mbc-buffer-length-fix.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -uNr newsboat-2.24/src/tagsouppullparser.cpp newsboat-2.24.mod/src/tagsouppullparser.cpp ---- newsboat-2.24/src/tagsouppullparser.cpp 2021-06-20 20:40:09.000000000 +0300 -+++ newsboat-2.24.mod/src/tagsouppullparser.cpp 2021-09-08 23:50:47.207115677 +0300 -@@ -445,7 +445,7 @@ - if (s.length() > 1 && s[0] == '#') { - std::string result; - unsigned int wc; -- char mbc[MB_LEN_MAX]; -+ char mbc[16]; - mbc[0] = '\0'; - if (s[1] == 'x') { - s.erase(0, 2); -@@ -499,7 +499,7 @@ - } else { - for (unsigned int i = 0; entity_table[i].entity; ++i) { - if (s == entity_table[i].entity) { -- char mbc[MB_LEN_MAX]; -+ char mbc[16]; - const int pos = wcrtomb(mbc, entity_table[i].value, &mb_state); - if (pos == -1) { - return std::string(); diff --git a/packages/newsboat/mbc_write.patch b/packages/newsboat/mbc_write.patch new file mode 100644 index 000000000..ea4db7fb3 --- /dev/null +++ b/packages/newsboat/mbc_write.patch @@ -0,0 +1,23 @@ +commit dcced88a134f79cc5ccbe36ed5be51d73bd8f356 +Author: mcz +Date: Sun Aug 22 20:50:26 2021 +0200 + + Fix write outside of bounds + + Adding terminating '\0' to the mbc results in a crash when pos == MB_LEN_MAX, + which is true for 4-byte characters and musl. + +diff --git a/src/tagsouppullparser.cpp b/src/tagsouppullparser.cpp +index de62d3ec..da0aabed 100644 +--- a/src/tagsouppullparser.cpp ++++ b/src/tagsouppullparser.cpp +@@ -485,8 +485,7 @@ std::string TagSoupPullParser::decode_entity(std::string s) + + const int pos = wcrtomb(mbc, static_cast(wc), &mb_state); + if (pos > 0) { +- mbc[pos] = '\0'; +- result.append(mbc); ++ result.append(mbc, pos); + } + LOG(Level::DEBUG, + "TagSoupPullParser::decode_entity: wc = %u pos = %d "