!17 [sync] PR-16: Fix CVE-2024-0911

From: @openeuler-sync-bot 
Reviewed-by: @starlet-dx 
Signed-off-by: @starlet-dx

CVE-2024-0911.patch

@@ -0,0 +1,124 @@
+From 32df891141689ed73499f4e60f64268957f1e3c2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Wed, 24 Jan 2024 14:03:58 +0100
+Subject: [PATCH] Fix a heap buffer underread in set_buf_break()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If an opening parenthesis follows a comment with a text, a read from
+an invalid address happens in set_buf_break():
+
+    $ printf '/*a*/()' | valgrind -- ./src/indent - -o /dev/null
+    ==28887== Memcheck, a memory error detector
+    ==28887== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward
+et al.
+    ==28887== Using Valgrind-3.22.0 and LibVEX; rerun with -h for
+copyright info
+    ==28887== Command: ./src/indent - -o /dev/null
+    ==28887==
+    ==28887== Invalid read of size 2
+    ==28887==    at 0x409989: set_buf_break (output.c:319)
+    ==28887==    by 0x401FE7: indent_main_loop (indent.c:640)
+    ==28887==    by 0x4022A7: indent (indent.c:759)
+    ==28887==    by 0x40294E: indent_single_file (indent.c:1004)
+    ==28887==    by 0x402A1C: indent_all (indent.c:1042)
+    ==28887==    by 0x402BD0: main (indent.c:1123)
+    ==28887==  Address 0x4a5facc is 4 bytes before a block of size 16
+alloc'd
+    ==28887==    at 0x4849E60: calloc (vg_replace_malloc.c:1595)
+    ==28887==    by 0x408B61: xmalloc (globs.c:42)
+    ==28887==    by 0x40765E: init_parser (parse.c:73)
+    ==28887==    by 0x402B1F: main (indent.c:1101)
+
+It happens when checking an indentation level of the outer scope by
+indexing
+parser_state_tos->paren_indents[]:
+
+    level = parser_state_tos->p_l_follow;
+    [...]
+    /* Did we just parse a bracket that will be put on the next line
+     * by this line break? */
+    if ((*token == '(') || (*token == '['))
+        --level;    /* then don't take it into account */
+    [...]
+    if (level == 0) {
+    } else {
+→       if (parser_state_tos->paren_indents[level - 1] < 0) {...}
+    }
+
+The cause is a special case for moving opening parentheses and
+brackets to a next line. If parser_state_tos->p_l_follow is zero
+(like in the reproducer), the index evaluates to -2 and goes out of
+range of the paren_indents array.
+
+This patch simply prevents from decreasing the index under zero when
+formating the code. Maybe it leaves some piece of code unformated, but
+it's safe.
+
+I checked all places where p_l_follow is set (it is only in
+handletoken.c) and they corretly prevent from decrasing it under
+zero. That keeps set_buf_break() in output.c as the culprit.
+
+<https://lists.gnu.org/archive/html/bug-indent/2024-01/msg00000.html>
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ regression/TEST                                     | 3 ++-
+ regression/input/comment-parent-heap-underread.c    | 3 +++
+ regression/standard/comment-parent-heap-underread.c | 5 +++++
+ src/output.c                                        | 2 +-
+ 4 files changed, 11 insertions(+), 2 deletions(-)
+ create mode 100644 regression/input/comment-parent-heap-underread.c
+ create mode 100644 regression/standard/comment-parent-heap-underread.c
+
+diff --git a/regression/TEST b/regression/TEST
+index 7db4c36..d052558 100755
+--- a/regression/TEST
++++ b/regression/TEST
+@@ -36,7 +36,8 @@ EXAMPLES="do.c else.c for.c func-def.c lshift.c ncs.c \
+ BUGS="case-label.c one-line-1.c one-line-2.c one-line-3.c \
+         one-line-4.c struct-decl.c sizeof-in-while.c line-break-comment.c \
+         macro.c enum.c elif.c nested.c wrapped-string.c minus_predecrement.c \
+-        float-constant-suffix.c hexadecimal_float.c"
++        float-constant-suffix.c hexadecimal_float.c \
++        comment-parent-heap-underread.c"
+ 
+ INDENTSRC="args.c backup.h backup.c dirent_def.h globs.c indent.h \
+         indent.c indent_globs.h io.c lexi.c memcpy.c parse.c pr_comment.c \
+diff --git a/regression/input/comment-parent-heap-underread.c b/regression/input/comment-parent-heap-underread.c
+new file mode 100644
+index 0000000..68e13cf
+--- /dev/null
++++ b/regression/input/comment-parent-heap-underread.c
+@@ -0,0 +1,3 @@
++void foo(void) {
++/*a*/(1);
++}
+diff --git a/regression/standard/comment-parent-heap-underread.c b/regression/standard/comment-parent-heap-underread.c
+new file mode 100644
+index 0000000..9a1c6e3
+--- /dev/null
++++ b/regression/standard/comment-parent-heap-underread.c
+@@ -0,0 +1,5 @@
++void
++foo (void)
++{
++/*a*/ (1);
++}
+diff --git a/src/output.c b/src/output.c
+index f0ca617..0681623 100644
+--- a/src/output.c
++++ b/src/output.c
+@@ -291,7 +291,7 @@ void set_buf_break (
+     /* Did we just parse a bracket that will be put on the next line
+      * by this line break? */
+ 
+-    if ((*token == '(') || (*token == '['))
++    if (level > 0 && ((*token == '(') || (*token == '[')))
+     {
+         --level;                        /* then don't take it into account */
+     }
+-- 
+2.33.0
+

indent.spec

@@ -2,7 +2,7 @@
 Name: indent
 Summary: A tool to make code easier to read
 Version: 2.2.11
-Release: 29
+Release: 30
 License: GPLv3+
 URL: http://www.gnu.org/software/%{name}/
 Source: http://ftp.gnu.org/gnu/indent/%{name}-%{version}.tar.gz
@@ -20,6 +20,8 @@ Patch15: indent-2.2.11-doc-Correct-a-typo-about-enabling-control-comment.patch
 Patch16: indent-2.2.11-Fix-nbdfa-and-nbdfe-typo.patch
 Patch17: fix-an-out-of-buffer-read-CVE-2023-40305.patch
 Patch18: fix-a-heap-buffer-overwrite-CVE-2023-40305.patch
+# https://lists.gnu.org/archive/html/bug-indent/2024-01/msg00001.html
+Patch19: CVE-2024-0911.patch
 
 BuildRequires:  gettext-devel automake gcc autoconf
 BuildRequires:  make coreutils gperf texinfo texi2html
@@ -63,6 +65,9 @@ make -C regression
 %exclude %{_infodir}/dir
 
 %changelog
+* Mon Feb 05 2024 yaoxin <yao_xin001@hoperun.com> - 2.2.11-30
+- Fix CVE-2024-0911
+
 * Tue Aug 29 2023 wangkai <13474090681@163.com> - 2.2.11-29
 - Fix CVE-2023-40305