Sat Jan 11 03:21:10 UTC 2014

3 files changed, 87 insertions, 2 deletions

diff --git a/extra/graphviz/PKGBUILD b/extra/graphviz/PKGBUILD
index 16c4030c7..884b8cec1 100644
--- a/extra/graphviz/PKGBUILD
+++ b/extra/graphviz/PKGBUILD
@@ -1,11 +1,11 @@
-# $Id: PKGBUILD 198050 2013-10-30 12:29:51Z allan $
+# $Id: PKGBUILD 203404 2014-01-10 04:16:47Z bisson $
 # Maintainer: Gaetan Bisson <bisson@archlinux.org>
 # Contributor: kevin <kevin@archlinux.org>
 # Contributor: John Proctor <jproctor@prium.net>
 
 pkgname=graphviz
 pkgver=2.34.0
-pkgrel=2
+pkgrel=3
 pkgdesc='Graph visualization software'
 url='http://www.graphviz.org/'
 license=('CPL')
@@ -23,14 +23,20 @@ optdepends=('mono: sharp bindings'
             'tcl: tcl bindings'
             'qt4: gvedit')
 source=("${url}/pub/${pkgname}/stable/SOURCES/${pkgname}-${pkgver}.tar.gz"
+        'yyerror0.patch'
+        'yyerror1.patch'
         'dotty.patch')
 sha1sums=('5a0c00bebe7f4c7a04523db21f40966dc9f0d441'
+          '7a6fe4f532974d9ca173b1aba9927bdeb5f80be9'
+          '6d76a230ee6c11bcd610ebe56f98e96ecef6217d'
           '31bc9f505c8b6470289a0d6ec31c237765cba239')
 
 install=install
 
 prepare() {
 	cd "${srcdir}/${pkgname}-${pkgver}"
+	patch -p1 -i ../yyerror0.patch
+	patch -p1 -i ../yyerror1.patch
 	patch -p1 -i ../dotty.patch
 	sed \
 		-e '/LIBPOSTFIX="64"/d' \
diff --git a/extra/graphviz/yyerror0.patch b/extra/graphviz/yyerror0.patch
new file mode 100644
index 000000000..f8bb98373
--- /dev/null
+++ b/extra/graphviz/yyerror0.patch
@@ -0,0 +1,53 @@
+From 7aaddf52cd98589fb0c3ab72a393f8411838438a Mon Sep 17 00:00:00 2001
+From: "Emden R. Gansner" <erg@alum.mit.edu>
+Date: Fri, 4 Oct 2013 09:06:39 -0400
+Subject: [PATCH] Fix buffer overflow problem when reporting a syntax error
+ with a very long input line
+
+---
+ lib/cgraph/scan.l | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index 3cfde0f..2efd203 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -16,6 +16,7 @@
+ %{
+ #include <grammar.h>
+ #include <cghdr.h>
++#include <agxbuf.h>
+ #include <ctype.h>
+ #define GRAPH_EOF_TOKEN		'@'		/* lex class must be defined below */
+ 	/* this is a workaround for linux flex */
+@@ -191,13 +192,21 @@ ID		({NAME}|{NUMBER})
+ %%
+ void yyerror(char *str)
+ {
++	unsigned char	xbuf[BUFSIZ];
+ 	char	buf[BUFSIZ];
+-	if (InputFile)
+-		sprintf(buf,"%s:%d: %s in line %d near '%s'\n",InputFile, line_num,
+-			str,line_num,yytext);
+-	else
+-		sprintf(buf," %s in line %d near '%s'\n", str,line_num,yytext);
+-	agerr(AGWARN,buf);
++	agxbuf  xb;
++
++	agxbinit(&xb, BUFSIZ, xbuf);
++	if (InputFile) {
++		agxbput (&xb, InputFile);
++		agxbput (&xb, ": ");
++	}
++	sprintf(buf," %s in line %d near '", str,line_num);
++	agxbput (&xb, buf);
++	agxbput (&xb, yytext);
++	agxbput (&xb,"'\n");
++	agerr(AGWARN,agxbuse(&xb));
++	agxbfree(&xb);
+ }
+ /* must be here to see flex's macro defns */
+ void aglexeof() { unput(GRAPH_EOF_TOKEN); }
+-- 
+1.8.5.1
+
diff --git a/extra/graphviz/yyerror1.patch b/extra/graphviz/yyerror1.patch
new file mode 100644
index 000000000..4f1faf4df
--- /dev/null
+++ b/extra/graphviz/yyerror1.patch
@@ -0,0 +1,26 @@
+From d266bb2b4154d11c27252b56d86963aef4434750 Mon Sep 17 00:00:00 2001
+From: "Emden R. Gansner" <erg@alum.mit.edu>
+Date: Tue, 7 Jan 2014 10:45:36 -0500
+Subject: [PATCH] Prevent possible buffer overflow in yyerror()
+
+---
+ lib/cgraph/scan.l | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index 3efe1d5..212967c 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -201,7 +201,8 @@ void yyerror(char *str)
+ 		agxbput (&xb, InputFile);
+ 		agxbput (&xb, ": ");
+ 	}
+-	sprintf(buf," %s in line %d near '", str,line_num);
++	agxbput (&xb, str);
++	sprintf(buf," in line %d near '", line_num);
+ 	agxbput (&xb, buf);
+ 	agxbput (&xb, yytext);
+ 	agxbput (&xb,"'\n");
+-- 
+1.8.5.1
+