git: Security fix for CVE-2022-41903

Upstream-Status: Backport from https://github.com/git/git/commit/a244dc5b & https://github.com/git/git/commit/81dc898d & https://github.com/git/git/commit/b49f309a & https://github.com/git/git/commit/f6e0b9f3 & https://github.com/git/git/commit/1de69c0c & https://github.com/git/git/commit/48050c42 & https://github.com/git/git/commit/522cc87f & https://github.com/git/git/commit/17d23e8a & https://github.com/git/git/commit/937b71cc & https://github.com/git/git/commit/81c2d4c3 & https://github.com/git/git/commit/f930a239 & https://github.com/git/git/commit/304a50ad (From OE-Core rev: d591ac4dfeff7b69086a47c7e88a8127f1d31299) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Vijay Anusuri <vanusuri@mvista.com> 2023-03-03 16:13:01 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-03-14 14:59:10 +0000
commit: 7b9f7437edcc3de1c52345deefcc507452ee95fc (patch)
tree: cf51dcd19d05051d658aae6a30932f7348762830 /meta/recipes-devtools/git/files/CVE-2022-41903-11.patch
parent: c35692c6ebd704e7f4c13b34ac66eda35e8e251e (diff)
download: poky-7b9f7437edcc3de1c52345deefcc507452ee95fc.tar.gz
1 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch
new file mode 100644
index 0000000000..f339edfc8a
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch
@@ -0,0 +1,90 @@
+From f930a2394303b902e2973f4308f96529f736b8bc Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:47:15 +0100
+Subject: [PATCH 11/12] utf8: refactor strbuf_utf8_replace to not rely on preallocated buffer
+In `strbuf_utf8_replace`, we preallocate the destination buffer and then
+use `memcpy` to copy bytes into it at computed offsets. This feels
+rather fragile and is hard to understand at times. Refactor the code to
+instead use `strbuf_add` and `strbuf_addstr` so that we can be sure that
+there is no possibility to perform an out-of-bounds write.
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+Upstream-Status: Backport [https://github.com/git/git/commit/f930a2394303b902e2973f4308f96529f736b8bc]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ utf8.c | 34 +++++++++++++---------------------
+ 1 file changed, 13 insertions(+), 21 deletions(-)
+diff --git a/utf8.c b/utf8.c
+index ec03e69..a13f5e3 100644
+--- a/utf8.c
+++ b/utf8.c
+@@ -365,26 +365,20 @@ void strbuf_add_wrapped_bytes(struct strbuf *buf, const char *data, int len,
+ void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width,
+                         const char *subst)
+ {
+-       struct strbuf sb_dst = STRBUF_INIT;
+-       char *src = sb_src->buf;
+-       char *end = src + sb_src->len;
+-       char *dst;
+-       int w = 0, subst_len = 0;
+       const char *src = sb_src->buf, *end = sb_src->buf + sb_src->len;
+       struct strbuf dst;
+       int w = 0;
+ 
+-       if (subst)
+-               subst_len = strlen(subst);
+-       strbuf_grow(&sb_dst, sb_src->len + subst_len);
+-       dst = sb_dst.buf;
+       strbuf_init(&dst, sb_src->len);
+ 
+        while (src < end) {
+               const char *old;
+                int glyph_width;
+-               char *old;
+                size_t n;
+ 
+                while ((n = display_mode_esc_sequence_len(src))) {
+-                       memcpy(dst, src, n);
+                       strbuf_add(&dst, src, n);
+                        src += n;
+-                       dst += n;
+                }
+ 
+                if (src >= end)
+@@ -404,21 +398,19 @@ void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width,
+ 
+                if (glyph_width && w >= pos && w < pos + width) {
+                        if (subst) {
+-                               memcpy(dst, subst, subst_len);
+-                               dst += subst_len;
+                               strbuf_addstr(&dst, subst);
+                                subst = NULL;
+                        }
+-                       w += glyph_width;
+-                       continue;
+               } else {
+                       strbuf_add(&dst, old, src - old);
+                }
+-               memcpy(dst, old, src - old);
+-               dst += src - old;
+
+                w += glyph_width;
+        }
+-       strbuf_setlen(&sb_dst, dst - sb_dst.buf);
+-       strbuf_swap(sb_src, &sb_dst);
+
+       strbuf_swap(sb_src, &dst);
+ out:
+-       strbuf_release(&sb_dst);
+       strbuf_release(&dst);
+ }
+ 
+ /*
+-- 
+2.25.1
author	Vijay Anusuri <vanusuri@mvista.com>	2023-03-03 16:13:01 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-03-14 14:59:10 +0000
commit	7b9f7437edcc3de1c52345deefcc507452ee95fc (patch)
tree	cf51dcd19d05051d658aae6a30932f7348762830 /meta/recipes-devtools/git/files/CVE-2022-41903-11.patch
parent	c35692c6ebd704e7f4c13b34ac66eda35e8e251e (diff)
download	poky-7b9f7437edcc3de1c52345deefcc507452ee95fc.tar.gz

diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch new file mode 100644 index 0000000000..f339edfc8a --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch
@@ -0,0 +1,90 @@
	1	From f930a2394303b902e2973f4308f96529f736b8bc Mon Sep 17 00:00:00 2001
	2	From: Patrick Steinhardt <ps@pks.im>
	3	Date: Thu, 1 Dec 2022 15:47:15 +0100
	4	Subject: [PATCH 11/12] utf8: refactor strbuf_utf8_replace to not rely on preallocated buffer
	5
	6	In `strbuf_utf8_replace`, we preallocate the destination buffer and then
	7	use `memcpy` to copy bytes into it at computed offsets. This feels
	8	rather fragile and is hard to understand at times. Refactor the code to
	9	instead use `strbuf_add` and `strbuf_addstr` so that we can be sure that
	10	there is no possibility to perform an out-of-bounds write.
	11
	12	Signed-off-by: Patrick Steinhardt <ps@pks.im>
	13	Signed-off-by: Junio C Hamano <gitster@pobox.com>
	14
	15	Upstream-Status: Backport [https://github.com/git/git/commit/f930a2394303b902e2973f4308f96529f736b8bc]
	16	CVE: CVE-2022-41903
	17	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	18	---
	19	utf8.c \| 34 +++++++++++++---------------------
	20	1 file changed, 13 insertions(+), 21 deletions(-)
	21
	22	diff --git a/utf8.c b/utf8.c
	23	index ec03e69..a13f5e3 100644
	24	--- a/utf8.c
	25	+++ b/utf8.c
	26	@@ -365,26 +365,20 @@ void strbuf_add_wrapped_bytes(struct strbuf buf, const char data, int len,
	27	void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width,
	28	const char *subst)
	29	{
	30	- struct strbuf sb_dst = STRBUF_INIT;
	31	- char *src = sb_src->buf;
	32	- char *end = src + sb_src->len;
	33	- char *dst;
	34	- int w = 0, subst_len = 0;
	35	+ const char src = sb_src->buf, end = sb_src->buf + sb_src->len;
	36	+ struct strbuf dst;
	37	+ int w = 0;
	38
	39	- if (subst)
	40	- subst_len = strlen(subst);
	41	- strbuf_grow(&sb_dst, sb_src->len + subst_len);
	42	- dst = sb_dst.buf;
	43	+ strbuf_init(&dst, sb_src->len);
	44
	45	while (src < end) {
	46	+ const char *old;
	47	int glyph_width;
	48	- char *old;
	49	size_t n;
	50
	51	while ((n = display_mode_esc_sequence_len(src))) {
	52	- memcpy(dst, src, n);
	53	+ strbuf_add(&dst, src, n);
	54	src += n;
	55	- dst += n;
	56	}
	57
	58	if (src >= end)
	59	@@ -404,21 +398,19 @@ void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width,
	60
	61	if (glyph_width && w >= pos && w < pos + width) {
	62	if (subst) {
	63	- memcpy(dst, subst, subst_len);
	64	- dst += subst_len;
	65	+ strbuf_addstr(&dst, subst);
	66	subst = NULL;
	67	}
	68	- w += glyph_width;
	69	- continue;
	70	+ } else {
	71	+ strbuf_add(&dst, old, src - old);
	72	}
	73	- memcpy(dst, old, src - old);
	74	- dst += src - old;
	75	+
	76	w += glyph_width;
	77	}
	78	- strbuf_setlen(&sb_dst, dst - sb_dst.buf);
	79	- strbuf_swap(sb_src, &sb_dst);
	80	+
	81	+ strbuf_swap(sb_src, &dst);
	82	out:
	83	- strbuf_release(&sb_dst);
	84	+ strbuf_release(&dst);
	85	}
	86
	87	/*
	88	--
	89	2.25.1
	90