new file mode 100644
@@ -0,0 +1,123 @@
+From ec3ce4dce7f0bc6f15e8a29eeb3776359e0750fb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 22 Nov 2024 17:27:21 +0800
+Subject: [PATCH] Fix a heap buffer underread in set_buf_break()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If an opening parenthesis follows a comment with a text, a read from
+an invalid address happens in set_buf_break():
+
+ $ printf '/*a*/()' | valgrind -- ./src/indent - -o /dev/null
+ ==28887== Memcheck, a memory error detector
+ ==28887== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
+ ==28887== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
+ ==28887== Command: ./src/indent - -o /dev/null
+ ==28887==
+ ==28887== Invalid read of size 2
+ ==28887== at 0x409989: set_buf_break (output.c:319)
+ ==28887== by 0x401FE7: indent_main_loop (indent.c:640)
+ ==28887== by 0x4022A7: indent (indent.c:759)
+ ==28887== by 0x40294E: indent_single_file (indent.c:1004)
+ ==28887== by 0x402A1C: indent_all (indent.c:1042)
+ ==28887== by 0x402BD0: main (indent.c:1123)
+ ==28887== Address 0x4a5facc is 4 bytes before a block of size 16 alloc'd
+ ==28887== at 0x4849E60: calloc (vg_replace_malloc.c:1595)
+ ==28887== by 0x408B61: xmalloc (globs.c:42)
+ ==28887== by 0x40765E: init_parser (parse.c:73)
+ ==28887== by 0x402B1F: main (indent.c:1101)
+
+It happens when checking an indentation level of the outer scope by indexing
+parser_state_tos->paren_indents[]:
+
+ level = parser_state_tos->p_l_follow;
+ [...]
+ /* Did we just parse a bracket that will be put on the next line
+ * by this line break? */
+ if ((*token == '(') || (*token == '['))
+ --level; /* then don't take it into account */
+ [...]
+ if (level == 0) {
+ } else {
+→ if (parser_state_tos->paren_indents[level - 1] < 0) {...}
+ }
+
+The cause is a special case for moving opening parentheses and
+brackets to a next line. If parser_state_tos->p_l_follow is zero
+(like in the reproducer), the index evaluates to -2 and goes out of
+range of the paren_indents array.
+
+This patch simply prevents from decreasing the index under zero when
+formating the code. Maybe it leaves some piece of code unformated, but
+it's safe.
+
+I checked all places where p_l_follow is set (it is only in
+handletoken.c) and they corretly prevent from decrasing it under
+zero. That keeps set_buf_break() in output.c as the culprit.
+
+<https://lists.gnu.org/archive/html/bug-indent/2024-01/msg00000.html>
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+CVE: CVE-2024-0911
+Upstream-Status: Backport [feb2b646e6c3a05018e132515c5eda98ca13d50d
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ regression/TEST | 2 +-
+ regression/input/comment-parent-heap-underread.c | 3 +++
+ regression/standard/comment-parent-heap-underread.c | 5 +++++
+ src/output.c | 2 +-
+ 4 files changed, 10 insertions(+), 2 deletions(-)
+ create mode 100644 regression/input/comment-parent-heap-underread.c
+ create mode 100644 regression/standard/comment-parent-heap-underread.c
+
+diff --git a/regression/TEST b/regression/TEST
+index a76c112..0888a18 100755
+--- a/regression/TEST
++++ b/regression/TEST
+@@ -38,7 +38,7 @@ BUGS="case-label.c one-line-1.c one-line-2.c one-line-3.c \
+ macro.c enum.c elif.c nested.c wrapped-string.c minus_predecrement.c \
+ bug-gnu-33364.c float-constant-suffix.c block-comments.c \
+ no-forced-nl-in-block-init.c hexadecimal_float.c \
+- comment-heap-overread.c"
++ comment-heap-overread.c comment-parent-heap-underread.c"
+
+ INDENTSRC="args.c backup.h backup.c dirent_def.h globs.c indent.h \
+ indent.c indent_globs.h io.c lexi.c memcpy.c parse.c pr_comment.c \
+diff --git a/regression/input/comment-parent-heap-underread.c b/regression/input/comment-parent-heap-underread.c
+new file mode 100644
+index 0000000..68e13cf
+--- /dev/null
++++ b/regression/input/comment-parent-heap-underread.c
+@@ -0,0 +1,3 @@
++void foo(void) {
++/*a*/(1);
++}
+diff --git a/regression/standard/comment-parent-heap-underread.c b/regression/standard/comment-parent-heap-underread.c
+new file mode 100644
+index 0000000..9a1c6e3
+--- /dev/null
++++ b/regression/standard/comment-parent-heap-underread.c
+@@ -0,0 +1,5 @@
++void
++foo (void)
++{
++/*a*/ (1);
++}
+diff --git a/src/output.c b/src/output.c
+index 5b92167..b8a4961 100644
+--- a/src/output.c
++++ b/src/output.c
+@@ -290,7 +290,7 @@ void set_buf_break (
+ /* Did we just parse a bracket that will be put on the next line
+ * by this line break? */
+
+- if ((*token == '(') || (*token == '['))
++ if (level > 0 && ((*token == '(') || (*token == '[')))
+ {
+ --level; /* then don't take it into account */
+ }
+--
+2.34.1
+
@@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \
file://0001-Remove-dead-paren_level-code.patch \
file://CVE-2023-40305_0001.patch \
file://CVE-2023-40305_0002.patch \
+ file://0001-Fix-a-heap-buffer-underread-in-set_buf_break.patch \
"
SRC_URI[md5sum] = "4764b6ac98f6654a35da117b8e5e8e14"
SRC_URI[sha256sum] = "e77d68c0211515459b8812118d606812e300097cfac0b4e9fb3472664263bb8b"
Backport a fix from upstream to resolve CVE-2024-0911 https://git.savannah.gnu.org/git/indent.git feb2b646e6c3a05018e132515c5eda98ca13d50d Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> --- ...ap-buffer-underread-in-set_buf_break.patch | 123 ++++++++++++++++++ .../recipes-extended/indent/indent_2.2.12.bb | 1 + 2 files changed, 124 insertions(+) create mode 100644 meta-oe/recipes-extended/indent/indent/0001-Fix-a-heap-buffer-underread-in-set_buf_break.patch