editorconfig-core-c: patch CVE-2024-53849

Details https://nvd.nist.gov/vuln/detail/CVE-2024-53849 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-02 02:49:12 +00:00 · 2025-12-16 12:43:29 +05:30 · 2025-12-16 12:43:29 +05:30 · 1c7b69ee0b
commit 1c7b69ee0b
parent d9148434ad
3 changed files with 106 additions and 1 deletions
--- a/meta-oe/recipes-devtools/editorconfig/editorconfig-core-c_0.12.6.bb
+++ b/meta-oe/recipes-devtools/editorconfig/editorconfig-core-c_0.12.6.bb
@ -4,7 +4,10 @@ SECTION = "libs"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=f515fff3ea0a2b9797eda60d83c0e5ca"

-SRC_URI = "git://github.com/editorconfig/editorconfig-core-c.git;protocol=https;branch=master"
+SRC_URI = "git://github.com/editorconfig/editorconfig-core-c.git;protocol=https;branch=master \
+           file://CVE-2024-53849_1.patch \
+           file://CVE-2024-53849_2.patch \
+"

 S = "${WORKDIR}/git"
 SRCREV = "b7837029494c03af5ea70ed9d265e8c2123bff53"
--- a/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_1.patch
+++ b/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_1.patch
@ -0,0 +1,54 @@
+From d47a37a6186d98c6db308d467f822c438972bdbc Mon Sep 17 00:00:00 2001
+From: Christopher Wellons <wellons@nullprogram.com>
+Date: Sat, 17 Feb 2024 15:32:25 -0500
+Subject: [PATCH] Fix a few more stack buffer overflows
+
+Several overflows may occur in switch case '[' when the input pattern
+contains many escaped characters. The added backslashes leave too little
+space in the output pattern when processing nested brackets such that
+the remaining input length exceeds the output capacity. Therefore all
+these concatenations must also be checked.
+
+The ADD_CHAR was missed in 41281ea (#87). The switch can exit exactly at
+capacity, leaving no room for the finishing '$', causing an overflow.
+
+These overflows were discovered through fuzz testing with afl.
+
+CVE: CVE-2024-53849
+Upstream-Status: Backport [https://github.com/editorconfig/editorconfig-core-c/commit/fca7cf19e0fb800c2d38f173c1f69ad40bf2a2f5]
+(cherry picked from commit fca7cf19e0fb800c2d38f173c1f69ad40bf2a2f5)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/lib/ec_glob.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/ec_glob.c b/src/lib/ec_glob.c
+index ea62aee..e62af1f 100644
+--- a/src/lib/ec_glob.c
+++ b/src/lib/ec_glob.c
+@@ -192,10 +192,14 @@ int ec_glob(const char *pattern, const char *string)
+                     if (!right_bracket)  /* The right bracket may not exist */
+                         right_bracket = c + strlen(c);
+ 
+-                    strcat(p_pcre, "\\");
+                    STRING_CAT(p_pcre, "\\", pcre_str_end);
+                    /* Boundary check for strncat below. */
+                    if (pcre_str_end - p_pcre <= right_bracket - c) {
+                        return -1;
+                    }
+                     strncat(p_pcre, c, right_bracket - c);
+                     if (*right_bracket)  /* right_bracket is a bracket */
+-                        strcat(p_pcre, "\\]");
+                        STRING_CAT(p_pcre, "\\]", pcre_str_end);
+                     p_pcre += strlen(p_pcre);
+                     c = right_bracket;
+                     if (!*c)
+@@ -339,7 +343,7 @@ int ec_glob(const char *pattern, const char *string)
+         }
+     }
+ 
+-    *(p_pcre ++) = '$';
+    ADD_CHAR(p_pcre, '$', pcre_str_end);
+ 
+     pcre2_code_free(re); /* ^\\d+\\.\\.\\d+$ */
+ 
--- a/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_2.patch
+++ b/meta-oe/recipes-devtools/editorconfig/files/CVE-2024-53849_2.patch
@ -0,0 +1,48 @@
+From 8ac5af4bc4b6344442f11f35fdc48177ce570a13 Mon Sep 17 00:00:00 2001
+From: Christopher Wellons <wellons@nullprogram.com>
+Date: Sat, 17 Feb 2024 16:01:57 -0500
+Subject: [PATCH] Fix pointer overflow in STRING_CAT
+
+The end pointer is positioned one past the end of the destination, and
+it is undefined behavior to compute an address beyond the end pointer,
+including for comparisons, even temporarily. The UB occurs exactly when
+buffer overflow would have occurred, so the buffer overflow check could
+be optimized away by compilers. Even if this wasn't the case, the check
+could produce a false negative if the computed address overflowed the
+address space, which is, after all, why the C standard doesn't define
+behavior in the first place.
+
+The fix is simple: Check using sizes, not addresses. The explicit cast
+suppresses warnings about signed-unsigned comparisons, and the assertion
+checks the cast.
+
+CVE: CVE-2024-53849
+Upstream-Status: Backport [https://github.com/editorconfig/editorconfig-core-c/commit/4d5518a0a4e4910c37281ab13a048d0d86999782]
+(cherry picked from commit 4d5518a0a4e4910c37281ab13a048d0d86999782)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/lib/ec_glob.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/ec_glob.c b/src/lib/ec_glob.c
+index e62af1f..c2b83cf 100644
+--- a/src/lib/ec_glob.c
+++ b/src/lib/ec_glob.c
+@@ -27,6 +27,7 @@
+ 
+ #include "global.h"
+ 
+#include <assert.h>
+ #include <ctype.h>
+ #include <string.h>
+ #include <pcre2.h>
+@@ -51,7 +52,8 @@ static const UT_icd ut_int_pair_icd = {sizeof(int_pair),NULL,NULL,NULL};
+ /* concatenate the string then move the pointer to the end */
+ #define STRING_CAT(p, string, end)  do {    \
+     size_t string_len = strlen(string); \
+-    if (p + string_len >= end) \
+    assert(end > p); \
+    if (string_len >= (size_t)(end - p)) \
+         return -1; \
+     strcat(p, string); \
+     p += string_len; \