newsboat: add upstream patch to fix buffer overflow

This fixes issue with overflow when adding terminating null byte properly, without increasing buffer size.
2021-09-09 09:42:35 +02:00 · 2021-09-09 09:42:35 +02:00 · 69c4673016
commit 69c4673016
parent 949eb90988
3 changed files with 24 additions and 22 deletions
--- a/packages/newsboat/build.sh
+++ b/packages/newsboat/build.sh
@ -3,7 +3,7 @@ TERMUX_PKG_DESCRIPTION="RSS/Atom feed reader for the text console"
 TERMUX_PKG_LICENSE="MIT"
 TERMUX_PKG_MAINTAINER="@termux"
 TERMUX_PKG_VERSION=2.24
-TERMUX_PKG_REVISION=1
+TERMUX_PKG_REVISION=2
 TERMUX_PKG_SRCURL=https://newsboat.org/releases/${TERMUX_PKG_VERSION}/newsboat-${TERMUX_PKG_VERSION}.tar.xz
 TERMUX_PKG_SHA256=62420688cca25618859548d10ff6df9ac75b9cf766699f37edd3e324d67c6ffb
 TERMUX_PKG_DEPENDS="libc++, libiconv, libandroid-support, libandroid-glob, json-c, libsqlite, libcurl, libxml2, stfl, ncurses, openssl"
--- a/packages/newsboat/mbc-buffer-length-fix.patch
+++ b/packages/newsboat/mbc-buffer-length-fix.patch
@ -1,21 +0,0 @@
-diff -uNr newsboat-2.24/src/tagsouppullparser.cpp newsboat-2.24.mod/src/tagsouppullparser.cpp
--- newsboat-2.24/src/tagsouppullparser.cpp	2021-06-20 20:40:09.000000000 +0300
-+++ newsboat-2.24.mod/src/tagsouppullparser.cpp	2021-09-08 23:50:47.207115677 +0300
-@@ -445,7 +445,7 @@
- 	if (s.length() > 1 && s[0] == '#') {
- 		std::string result;
- 		unsigned int wc;
-		char mbc[MB_LEN_MAX];
-+		char mbc[16];
- 		mbc[0] = '\0';
- 		if (s[1] == 'x') {
- 			s.erase(0, 2);
-@@ -499,7 +499,7 @@
- 	} else {
- 		for (unsigned int i = 0; entity_table[i].entity; ++i) {
- 			if (s == entity_table[i].entity) {
-				char mbc[MB_LEN_MAX];
-+				char mbc[16];
- 				const int pos = wcrtomb(mbc, entity_table[i].value, &mb_state);
- 				if (pos == -1) {
- 					return std::string();
--- a/packages/newsboat/mbc_write.patch
+++ b/packages/newsboat/mbc_write.patch
@ -0,0 +1,23 @@
+commit dcced88a134f79cc5ccbe36ed5be51d73bd8f356
+Author: mcz <emcze@ya.ru>
+Date:   Sun Aug 22 20:50:26 2021 +0200
+
+    Fix write outside of bounds
+    
+    Adding terminating '\0' to the mbc results in a crash when pos == MB_LEN_MAX,
+    which is true for 4-byte characters and musl.
+
+diff --git a/src/tagsouppullparser.cpp b/src/tagsouppullparser.cpp
+index de62d3ec..da0aabed 100644
+--- a/src/tagsouppullparser.cpp
+++ b/src/tagsouppullparser.cpp
+@@ -485,8 +485,7 @@ std::string TagSoupPullParser::decode_entity(std::string s)
+ 
+ 		const int pos = wcrtomb(mbc, static_cast<wchar_t>(wc), &mb_state);
+ 		if (pos > 0) {
+-			mbc[pos] = '\0';
+-			result.append(mbc);
+			result.append(mbc, pos);
+ 		}
+ 		LOG(Level::DEBUG,
+ 			"TagSoupPullParser::decode_entity: wc = %u pos = %d "