[3.5] flex: buffer overflow in generated code (yy_get_next_buffer) (CVE-2016-6354)
flex incorrectly resized the num_to_read variable in
yy_get_next_buffer.
The buffer is resized if this value is less or equal to zero.
With special crafted input it is possible, that the buffer is not
resized if the input
is larger than the default buffer size of 16k. This allows a heap buffer
overflow.
Partially fixed in version:
flex 2.6.1
Reference:
http://seclists.org/oss-sec/2016/q3/97
Patches:
https://github.com/westes/flex/commit/9ba3187a537d6a58d345f2874d06087fd4050399
https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
(v2.6.1)
https://github.com/westes/flex/commit/7a7c3dfe1bcb8230447ba1656f926b4b4cdfc457
https://github.com/westes/flex/commit/1da19feba7c957e0f0af0c3eeadc29e8c82b0ca3
(from redmine: issue id 6087, created on 2016-08-27, closed on 2016-10-14)
- Relations:
- parent #6086 (closed)