From: Ross Burton <ross.burton@arm.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH 2/6] re2c: backport fix for CVE-2026-2903
Date: Tue, 14 Apr 2026 16:56:48 +0100 [thread overview]
Message-ID: <20260414155652.1214302-2-ross.burton@arm.com> (raw)
In-Reply-To: <20260414155652.1214302-1-ross.burton@arm.com>
Backport a patch from upstream to fix CVE-2026-2903.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
.../re2c/re2c/CVE-2026-2903.patch | 68 +++++++++++++++++++
meta/recipes-support/re2c/re2c_4.4.bb | 4 +-
2 files changed, 71 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/re2c/re2c/CVE-2026-2903.patch
diff --git a/meta/recipes-support/re2c/re2c/CVE-2026-2903.patch b/meta/recipes-support/re2c/re2c/CVE-2026-2903.patch
new file mode 100644
index 00000000000..266891fa494
--- /dev/null
+++ b/meta/recipes-support/re2c/re2c/CVE-2026-2903.patch
@@ -0,0 +1,68 @@
+From febeb977936f9519a25d9fbd10ff8256358cdb97 Mon Sep 17 00:00:00 2001
+From: Ulya Trofimovich <skvadrik@gmail.com>
+Date: Tue, 3 Feb 2026 21:33:11 +0000
+Subject: [PATCH] Fix null pointer dereference when actions are used without
+ rules.
+
+Null pointer dereference happened because the root TNFA state was null:
+there were no rules for a block, but determinization still happened.
+
+In this case re2c should emit an error and never even attempt
+determinization. It was properly handled for blocks with start
+conditions, but not for normal blocks.
+
+This addresses #571 "[Bug] Segmentation Fault (NULL Dereference) in
+re2c::closure_leftmost_dfs during determinization".
+
+CVE: CVE-2026-2903
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ src/parse/ast.cc | 19 +++++++++++++++----
+ test/conditions/cond_error_10.c | 2 +-
+ 2 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/src/parse/ast.cc b/src/parse/ast.cc
+index 91865e801..986cfb7da 100644
+--- a/src/parse/ast.cc
++++ b/src/parse/ast.cc
+@@ -332,10 +332,6 @@ Ret check_and_merge_special_rules(AstGrams& grams, const opt_t* opts, Msg& msg,
+ all_conds_have_it = false; \
+ } else if (g.name == STAR_COND) { \
+ star_action = g.action[0]; \
+- } else if (g.rules.empty()) { \
+- RET_FAIL(msg.error(g.action[0]->loc, \
+- "%s action for non-existing condition `%s` found", \
+- str, g.name.c_str())); \
+ } \
+ } \
+ if (star_action && all_conds_have_it) { \
+@@ -422,6 +418,21 @@ Ret check_and_merge_special_rules(AstGrams& grams, const opt_t* opts, Msg& msg,
+ }
+ }
+
++ for (const AstGram& g : grams) {
++ if (g.rules.empty()) {
++#define CHECK_ACTION(action, str) do { \
++ if (!g.action.empty()) { \
++ RET_FAIL(msg.error(g.action[0]->loc, \
++ "%s action %sbut no rules found", str, incond(g.name).c_str())); \
++ } \
++} while(0)
++ CHECK_ACTION(entry, "entry");
++ CHECK_ACTION(pre_rule, "pre-rule");
++ CHECK_ACTION(post_rule, "post-rule");
++#undef CHECK_ACTION
++ }
++ }
++
+ // zero condition must be the first one.
+ auto zero = std::find_if(
+ grams.begin(), grams.end(), [](const AstGram& g) { return g.name == ZERO_COND; });
+diff --git a/test/conditions/cond_error_10.c b/test/conditions/cond_error_10.c
+index 571028a22..3bfde301b 100644
+--- a/test/conditions/cond_error_10.c
++++ b/test/conditions/cond_error_10.c
+@@ -1 +1 @@
+-conditions/cond_error_10.re:7:5: error: pre-rule action for non-existing condition `c` found
++conditions/cond_error_10.re:7:5: error: pre-rule action in condition 'c' but no rules found
diff --git a/meta/recipes-support/re2c/re2c_4.4.bb b/meta/recipes-support/re2c/re2c_4.4.bb
index 3be66d13884..ea9364c483d 100644
--- a/meta/recipes-support/re2c/re2c_4.4.bb
+++ b/meta/recipes-support/re2c/re2c_4.4.bb
@@ -6,7 +6,9 @@ SECTION = "devel"
LICENSE = "PD"
LIC_FILES_CHKSUM = "file://LICENSE;md5=64eca4d8a3b67f9dc7656094731a2c8d"
-SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BPN}-${PV}.tar.xz"
+SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BPN}-${PV}.tar.xz \
+ file://CVE-2026-2903.patch"
+
SRC_URI[sha256sum] = "6b6b865924447ef992d5db4e52fb9307e5f65f26edd43efa91395da810f4280a"
GITHUB_BASE_URI = "https://github.com/skvadrik/re2c/releases"
--
2.43.0
next prev parent reply other threads:[~2026-04-14 15:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-14 15:56 [PATCH 1/6] graphene: ignore CVE-2024-1984 Ross Burton
2026-04-14 15:56 ` Ross Burton [this message]
2026-04-14 15:56 ` [PATCH 3/6] python3-requests: backport fix for CVE-2026-25645 Ross Burton
2026-04-14 15:56 ` [PATCH 4/6] libexif: backport fixes for CVE-2026-40385/CVE-2026-40386/CVE-2026-32775 Ross Burton
2026-04-15 19:10 ` [OE-core] " Marko, Peter
2026-04-15 21:13 ` Ross Burton
2026-04-14 15:56 ` [PATCH 5/6] perl: link to the system zlib instead of a vendored copy Ross Burton
2026-04-14 15:56 ` [PATCH 6/6] perl: link to the system bzip2 " Ross Burton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260414155652.1214302-2-ross.burton@arm.com \
--to=ross.burton@arm.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox