diff options
Diffstat (limited to 'meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch')
-rw-r--r-- | meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch | 129 |
1 files changed, 129 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch new file mode 100644 index 0000000000..6257763d8d --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch | |||
@@ -0,0 +1,129 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 0f384c88a241bbbd884487b1c40b7b75f1e638d3 Mon Sep 17 00:00:00 2001 | ||
4 | From: Krzesimir Nowak <qdlacz@gmail.com> | ||
5 | Date: Wed, 10 Feb 2021 23:51:07 +0100 | ||
6 | Subject: [PATCH] gbytearray: Do not accept too large byte arrays | ||
7 | |||
8 | GByteArray uses guint for storing the length of the byte array, but it | ||
9 | also has a constructor (g_byte_array_new_take) that takes length as a | ||
10 | gsize. gsize may be larger than guint (64 bits for gsize vs 32 bits | ||
11 | for guint). It is possible to call the function with a value greater | ||
12 | than G_MAXUINT, which will result in silent length truncation. This | ||
13 | may happen as a result of unreffing GBytes into GByteArray, so rather | ||
14 | be loud about it. | ||
15 | |||
16 | (Test case tweaked by Philip Withnall.) | ||
17 | |||
18 | (Backport 2.66: Add #include gstrfuncsprivate.h in the test case for | ||
19 | `g_memdup2()`.) | ||
20 | |||
21 | Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz] | ||
22 | CVE: CVE-2021-27218 | ||
23 | Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> | ||
24 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
25 | |||
26 | --- | ||
27 | glib/garray.c | 6 ++++++ | ||
28 | glib/gbytes.c | 4 ++++ | ||
29 | glib/tests/bytes.c | 35 ++++++++++++++++++++++++++++++++++- | ||
30 | 3 files changed, 44 insertions(+), 1 deletion(-) | ||
31 | |||
32 | --- a/glib/garray.c | ||
33 | +++ b/glib/garray.c | ||
34 | @@ -2234,6 +2234,10 @@ g_byte_array_steal (GByteArray *array, | ||
35 | * Create byte array containing the data. The data will be owned by the array | ||
36 | * and will be freed with g_free(), i.e. it could be allocated using g_strdup(). | ||
37 | * | ||
38 | + * Do not use it if @len is greater than %G_MAXUINT. #GByteArray | ||
39 | + * stores the length of its data in #guint, which may be shorter than | ||
40 | + * #gsize. | ||
41 | + * | ||
42 | * Since: 2.32 | ||
43 | * | ||
44 | * Returns: (transfer full): a new #GByteArray | ||
45 | @@ -2245,6 +2249,8 @@ g_byte_array_new_take (guint8 *data, | ||
46 | GByteArray *array; | ||
47 | GRealArray *real; | ||
48 | |||
49 | + g_return_val_if_fail (len <= G_MAXUINT, NULL); | ||
50 | + | ||
51 | array = g_byte_array_new (); | ||
52 | real = (GRealArray *)array; | ||
53 | g_assert (real->data == NULL); | ||
54 | --- a/glib/gbytes.c | ||
55 | +++ b/glib/gbytes.c | ||
56 | @@ -519,6 +519,10 @@ g_bytes_unref_to_data (GBytes *bytes, | ||
57 | * g_bytes_new(), g_bytes_new_take() or g_byte_array_free_to_bytes(). In all | ||
58 | * other cases the data is copied. | ||
59 | * | ||
60 | + * Do not use it if @bytes contains more than %G_MAXUINT | ||
61 | + * bytes. #GByteArray stores the length of its data in #guint, which | ||
62 | + * may be shorter than #gsize, that @bytes is using. | ||
63 | + * | ||
64 | * Returns: (transfer full): a new mutable #GByteArray containing the same byte data | ||
65 | * | ||
66 | * Since: 2.32 | ||
67 | --- a/glib/tests/bytes.c | ||
68 | +++ b/glib/tests/bytes.c | ||
69 | @@ -10,12 +10,12 @@ | ||
70 | */ | ||
71 | |||
72 | #undef G_DISABLE_ASSERT | ||
73 | -#undef G_LOG_DOMAIN | ||
74 | |||
75 | #include <stdio.h> | ||
76 | #include <stdlib.h> | ||
77 | #include <string.h> | ||
78 | #include "glib.h" | ||
79 | +#include "glib/gstrfuncsprivate.h" | ||
80 | |||
81 | /* Keep in sync with glib/gbytes.c */ | ||
82 | struct _GBytes | ||
83 | @@ -334,6 +334,38 @@ test_to_array_transferred (void) | ||
84 | } | ||
85 | |||
86 | static void | ||
87 | +test_to_array_transferred_oversize (void) | ||
88 | +{ | ||
89 | + g_test_message ("g_bytes_unref_to_array() can only take GBytes up to " | ||
90 | + "G_MAXUINT in length; test that longer ones are rejected"); | ||
91 | + | ||
92 | + if (sizeof (guint) >= sizeof (gsize)) | ||
93 | + { | ||
94 | + g_test_skip ("Skipping test as guint is not smaller than gsize"); | ||
95 | + } | ||
96 | + else if (g_test_undefined ()) | ||
97 | + { | ||
98 | + GByteArray *array = NULL; | ||
99 | + GBytes *bytes = NULL; | ||
100 | + gpointer data = g_memdup2 (NYAN, N_NYAN); | ||
101 | + gsize len = ((gsize) G_MAXUINT) + 1; | ||
102 | + | ||
103 | + bytes = g_bytes_new_take (data, len); | ||
104 | + g_test_expect_message (G_LOG_DOMAIN, G_LOG_LEVEL_CRITICAL, | ||
105 | + "g_byte_array_new_take: assertion 'len <= G_MAXUINT' failed"); | ||
106 | + array = g_bytes_unref_to_array (g_steal_pointer (&bytes)); | ||
107 | + g_test_assert_expected_messages (); | ||
108 | + g_assert_null (array); | ||
109 | + | ||
110 | + g_free (data); | ||
111 | + } | ||
112 | + else | ||
113 | + { | ||
114 | + g_test_skip ("Skipping test as testing undefined behaviour is disabled"); | ||
115 | + } | ||
116 | +} | ||
117 | + | ||
118 | +static void | ||
119 | test_to_array_two_refs (void) | ||
120 | { | ||
121 | gconstpointer memory; | ||
122 | @@ -410,6 +442,7 @@ main (int argc, char *argv[]) | ||
123 | g_test_add_func ("/bytes/to-array/transfered", test_to_array_transferred); | ||
124 | g_test_add_func ("/bytes/to-array/two-refs", test_to_array_two_refs); | ||
125 | g_test_add_func ("/bytes/to-array/non-malloc", test_to_array_non_malloc); | ||
126 | + g_test_add_func ("/bytes/to-array/transferred/oversize", test_to_array_transferred_oversize); | ||
127 | g_test_add_func ("/bytes/null", test_null); | ||
128 | |||
129 | return g_test_run (); | ||