meta-openembedded/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_2.patch

From 8ac5af4bc4b6344442f11f35fdc48177ce570a13 Mon Sep 17 00:00:00 2001
From: Christopher Wellons <wellons@nullprogram.com>
Date: Sat, 17 Feb 2024 16:01:57 -0500
Subject: [PATCH] Fix pointer overflow in STRING_CAT

The end pointer is positioned one past the end of the destination, and
it is undefined behavior to compute an address beyond the end pointer,
including for comparisons, even temporarily. The UB occurs exactly when
buffer overflow would have occurred, so the buffer overflow check could
be optimized away by compilers. Even if this wasn't the case, the check
could produce a false negative if the computed address overflowed the
address space, which is, after all, why the C standard doesn't define
behavior in the first place.

The fix is simple: Check using sizes, not addresses. The explicit cast
suppresses warnings about signed-unsigned comparisons, and the assertion
checks the cast.

CVE: CVE-2024-53849
Upstream-Status: Backport [https://github.com/editorconfig/editorconfig-core-c/commit/4d5518a0a4e4910c37281ab13a048d0d86999782]
(cherry picked from commit 4d5518a0a4e4910c37281ab13a048d0d86999782)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 src/lib/ec_glob.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/lib/ec_glob.c b/src/lib/ec_glob.c
index e62af1f..c2b83cf 100644
--- a/src/lib/ec_glob.c
+++ b/src/lib/ec_glob.c
@@ -27,6 +27,7 @@
 
 #include "global.h"
 
+#include <assert.h>
 #include <ctype.h>
 #include <string.h>
 #include <pcre2.h>
@@ -51,7 +52,8 @@ static const UT_icd ut_int_pair_icd = {sizeof(int_pair),NULL,NULL,NULL};
 /* concatenate the string then move the pointer to the end */
 #define STRING_CAT(p, string, end)  do {    \
     size_t string_len = strlen(string); \
-    if (p + string_len >= end) \
+    assert(end > p); \
+    if (string_len >= (size_t)(end - p)) \
         return -1; \
     strcat(p, string); \
     p += string_len; \