[pkgsrc/trunk]: pkgsrc/www/lighttpd Apply upstream 584a69c4 to fix use-after-...

[schmonz <schmonz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/59bd2bb790d8
branches:  trunk
changeset: 768910:59bd2bb790d8
user:      schmonz <schmonz%pkgsrc.org@localhost>
date:      Wed Nov 03 15:06:51 2021 +0000

description:
Apply upstream 584a69c4 to fix use-after-free. Bump PKGREVISION.

diffstat:

 www/lighttpd/Makefile                       |   3 ++-
 www/lighttpd/distinfo                       |   3 ++-
 www/lighttpd/patches/patch-src_mod__alias.c |  29 +++++++++++++++++++++++++++++
 3 files changed, 33 insertions(+), 2 deletions(-)

diffs (58 lines):

diff -r 2a7d7bf802ea -r 59bd2bb790d8 www/lighttpd/Makefile
--- a/www/lighttpd/Makefile     Wed Nov 03 13:59:13 2021 +0000
+++ b/www/lighttpd/Makefile     Wed Nov 03 15:06:51 2021 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.103 2021/10/29 07:11:36 wiz Exp $
+# $NetBSD: Makefile,v 1.104 2021/11/03 15:06:51 schmonz Exp $
 
 DISTNAME=      lighttpd-1.4.61
+PKGREVISION=   1
 CATEGORIES=    www
 MASTER_SITES=  https://download.lighttpd.net/lighttpd/releases-1.4.x/
 EXTRACT_SUFX=  .tar.xz
diff -r 2a7d7bf802ea -r 59bd2bb790d8 www/lighttpd/distinfo
--- a/www/lighttpd/distinfo     Wed Nov 03 13:59:13 2021 +0000
+++ b/www/lighttpd/distinfo     Wed Nov 03 15:06:51 2021 +0000
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.66 2021/10/29 07:11:36 wiz Exp $
+$NetBSD: distinfo,v 1.67 2021/11/03 15:06:51 schmonz Exp $
 
 BLAKE2s (lighttpd-1.4.61.tar.xz) = 07cfcad072c2e66ea462c5782af85346ebd403318a7235af913d14652eecee2b
 SHA512 (lighttpd-1.4.61.tar.xz) = 30bd93e88714ac263b66266bb47a0b9b80831d73967f1268d5d5e311a5122bf3a5f20915ec351ac02b4f52a74aac10bd3ed35754a31061058733ab6284e3dabf
 Size (lighttpd-1.4.61.tar.xz) = 1010624 bytes
 SHA1 (patch-doc_config_lighttpd.conf) = 32a4b6bd32f88d05dd75f65de6ec57b203c37d8b
 SHA1 (patch-doc_lighttpd.8) = e08ac362784aebaca566d0f65380b70a829d6b4e
+SHA1 (patch-src_mod__alias.c) = dac2bd6ec0d06f1dfe7568193c2289641bb14869
diff -r 2a7d7bf802ea -r 59bd2bb790d8 www/lighttpd/patches/patch-src_mod__alias.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/lighttpd/patches/patch-src_mod__alias.c       Wed Nov 03 15:06:51 2021 +0000
@@ -0,0 +1,29 @@
+$NetBSD: patch-src_mod__alias.c,v 1.1 2021/11/03 15:06:51 schmonz Exp $
+
+Apply upstream 584a69c4 to fix use-after-free.
+
+<https://redmine.lighttpd.net/issues/3114>
+
+--- src/mod_alias.c.orig       2021-10-28 22:58:31.000000000 +0000
++++ src/mod_alias.c
+@@ -128,7 +128,7 @@ mod_alias_remap (request_st * const r, c
+     if (0 == path_len || path_len < basedir_len) return HANDLER_GO_ON;
+ 
+     const uint32_t uri_len = path_len - basedir_len;
+-    const char * const uri_ptr = r->physical.path.ptr + basedir_len;
++    const char *uri_ptr = r->physical.path.ptr + basedir_len;
+     data_string * const ds = (data_string *)
+       (!r->conf.force_lowercase_filenames
+         ? array_match_key_prefix_klen(aliases, uri_ptr, uri_len)
+@@ -159,8 +159,10 @@ mod_alias_remap (request_st * const r, c
+      * (though resulting r->physical.basedir would not be a dir))*/
+     if (vlen != basedir_len + alias_len) {
+         const uint32_t nlen = vlen + uri_len - alias_len;
+-        if (path_len + buffer_string_space(&r->physical.path) < nlen)
++        if (path_len + buffer_string_space(&r->physical.path) < nlen) {
+             buffer_string_prepare_append(&r->physical.path, nlen - path_len);
++            uri_ptr = r->physical.path.ptr + basedir_len;/*(refresh if alloc)*/
++        }
+         memmove(r->physical.path.ptr + vlen,
+                 uri_ptr + alias_len, uri_len - alias_len);
+         buffer_truncate(&r->physical.path, nlen);