dev-util/re2c: fix lexer overflow, bug #718350

Direct backport of c4603ba5ce229db ("Fix crash in lexer
refill (reported by Agostino Sarubbo).")

Reported-by: Agostino Sarubbo
Bug: https://bugs.gentoo.org/718350
Package-Manager: Portage-2.3.99, Repoman-2.3.22
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

1 files changed, 40 insertions, 0 deletions

diff --git a/dev-util/re2c/files/re2c-1.3-lexer-overflow.patch b/dev-util/re2c/files/re2c-1.3-lexer-overflow.patch
new file mode 100644
index 000000000000..4222ef430c32
--- /dev/null
+++ b/dev-util/re2c/files/re2c-1.3-lexer-overflow.patch
@@ -0,0 +1,40 @@
+https://bugs.gentoo.org/718350
+
+From c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a Mon Sep 17 00:00:00 2001
+From: Ulya Trofimovich <skvadrik@gmail.com>
+Date: Fri, 17 Apr 2020 22:47:14 +0100
+Subject: [PATCH] Fix crash in lexer refill (reported by Agostino Sarubbo).
+
+The crash happened in a rare case of a very long lexeme that doen't fit
+into the buffer, forcing buffer reallocation.
+
+The crash was caused by an incorrect calculation of the shift offset
+(it was smaller than necessary). As a consequence, the data from buffer
+start and up to the beginning of the current lexeme was not discarded
+(as it should have been), resulting in less free space for new data than
+expected.
+---
+ src/parse/scanner.cc | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/src/parse/scanner.cc
++++ b/src/parse/scanner.cc
+@@ -155,13 +155,14 @@ bool Scanner::fill(size_t need)
+         if (!buf) fatal("out of memory");
+ 
+         memmove(buf, tok, copy);
+-        shift_ptrs_and_fpos(buf - bot);
++        shift_ptrs_and_fpos(buf - tok);
+         delete [] bot;
+         bot = buf;
+ 
+         free = BSIZE - copy;
+     }
+ 
++    DASSERT(lim + free <= bot + BSIZE);
+     if (!read(free)) {
+         eof = lim;
+         memset(lim, 0, YYMAXFILL);
+-- 
+2.26.1
+