libhx bump and security fix

(Portage version: 2.1.8.3/cvs/Linux x86_64)

1 files changed, 43 insertions, 0 deletions

diff --git a/sys-libs/libhx/files/libhx-3.5-buffer-overflow.patch b/sys-libs/libhx/files/libhx-3.5-buffer-overflow.patch
new file mode 100644
index 000000000000..ae6ff91bb9bf
--- /dev/null
+++ b/sys-libs/libhx/files/libhx-3.5-buffer-overflow.patch
@@ -0,0 +1,43 @@
+diff --git a/src/string.c b/src/string.c
+index 1acfab2..bea6e71 100644
+--- a/src/string.c
++++ b/src/string.c
+@@ -153,7 +153,7 @@ EXPORT_SYMBOL char **HX_split(const char *str, const char *delim,
+ 		}
+ 	}
+ 
+-	if (max == 0)
++	if (max == 0 || *cp < max)
+ 		max = *cp;
+ 	else if (*cp > max)
+ 		*cp = max;
+diff --git a/src/tx-string.cpp b/src/tx-string.cpp
+index 4e9a534..cc2cbf8 100644
+--- a/src/tx-string.cpp
++++ b/src/tx-string.cpp
+@@ -142,6 +142,17 @@ static void t_split(void)
+ 	free(a1);
+ }
+ 
++static void t_split2(void)
++{
++	static const char tmp[] = "";
++	int c = 0;
++	char **a;
++
++	a = HX_split(tmp, " ", &c, 6);
++	printf("Got %d fields\n", c);
++	HX_zvecfree(a);
++}
++
+ static void t_quote(void)
+ {
+ 	char *fm = NULL;
+@@ -178,6 +189,7 @@ int main(int argc, const char **argv)
+ 	t_strncat();
+ 	t_strsep();
+ 	t_split();
++	t_split2();
+ 	t_quote();
+ 	HXmc_free(tx);
+ 	HX_exit();