1 files changed, 129 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch
new file mode 100644
index 0000000000..6257763d8d
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch
@@ -0,0 +1,129 @@
+Backport of:
+From 0f384c88a241bbbd884487b1c40b7b75f1e638d3 Mon Sep 17 00:00:00 2001
+From: Krzesimir Nowak <qdlacz@gmail.com>
+Date: Wed, 10 Feb 2021 23:51:07 +0100
+Subject: [PATCH] gbytearray: Do not accept too large byte arrays
+GByteArray uses guint for storing the length of the byte array, but it
+also has a constructor (g_byte_array_new_take) that takes length as a
+gsize. gsize may be larger than guint (64 bits for gsize vs 32 bits
+for guint). It is possible to call the function with a value greater
+than G_MAXUINT, which will result in silent length truncation. This
+may happen as a result of unreffing GBytes into GByteArray, so rather
+be loud about it.
+(Test case tweaked by Philip Withnall.)
+(Backport 2.66: Add #include gstrfuncsprivate.h in the test case for
+`g_memdup2()`.)
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27218
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+---
+ glib/garray.c      |  6 ++++++
+ glib/gbytes.c      |  4 ++++
+ glib/tests/bytes.c | 35 ++++++++++++++++++++++++++++++++++-
+ 3 files changed, 44 insertions(+), 1 deletion(-)
+--- a/glib/garray.c
+++ b/glib/garray.c
+@@ -2234,6 +2234,10 @@ g_byte_array_steal (GByteArray *array,
+  * Create byte array containing the data. The data will be owned by the array
+  * and will be freed with g_free(), i.e. it could be allocated using g_strdup().
+  *
+ * Do not use it if @len is greater than %G_MAXUINT. #GByteArray
+ * stores the length of its data in #guint, which may be shorter than
+ * #gsize.
+ *
+  * Since: 2.32
+  *
+  * Returns: (transfer full): a new #GByteArray
+@@ -2245,6 +2249,8 @@ g_byte_array_new_take (guint8 *data,
+   GByteArray *array;
+   GRealArray *real;
+ 
+  g_return_val_if_fail (len <= G_MAXUINT, NULL);
+
+   array = g_byte_array_new ();
+   real = (GRealArray *)array;
+   g_assert (real->data == NULL);
+--- a/glib/gbytes.c
+++ b/glib/gbytes.c
+@@ -519,6 +519,10 @@ g_bytes_unref_to_data (GBytes *bytes,
+  * g_bytes_new(), g_bytes_new_take() or g_byte_array_free_to_bytes(). In all
+  * other cases the data is copied.
+  *
+ * Do not use it if @bytes contains more than %G_MAXUINT
+ * bytes. #GByteArray stores the length of its data in #guint, which
+ * may be shorter than #gsize, that @bytes is using.
+ *
+  * Returns: (transfer full): a new mutable #GByteArray containing the same byte data
+  *
+  * Since: 2.32
+--- a/glib/tests/bytes.c
+++ b/glib/tests/bytes.c
+@@ -10,12 +10,12 @@
+  */
+ 
+ #undef G_DISABLE_ASSERT
+-#undef G_LOG_DOMAIN
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include "glib.h"
+#include "glib/gstrfuncsprivate.h"
+ 
+ /* Keep in sync with glib/gbytes.c */
+ struct _GBytes
+@@ -334,6 +334,38 @@ test_to_array_transferred (void)
+ }
+ 
+ static void
+test_to_array_transferred_oversize (void)
+{
+  g_test_message ("g_bytes_unref_to_array() can only take GBytes up to "
+                  "G_MAXUINT in length; test that longer ones are rejected");
+
+  if (sizeof (guint) >= sizeof (gsize))
+    {
+      g_test_skip ("Skipping test as guint is not smaller than gsize");
+    }
+  else if (g_test_undefined ())
+    {
+      GByteArray *array = NULL;
+      GBytes *bytes = NULL;
+      gpointer data = g_memdup2 (NYAN, N_NYAN);
+      gsize len = ((gsize) G_MAXUINT) + 1;
+
+      bytes = g_bytes_new_take (data, len);
+      g_test_expect_message (G_LOG_DOMAIN, G_LOG_LEVEL_CRITICAL,
+                             "g_byte_array_new_take: assertion 'len <= G_MAXUINT' failed");
+      array = g_bytes_unref_to_array (g_steal_pointer (&bytes));
+      g_test_assert_expected_messages ();
+      g_assert_null (array);
+
+      g_free (data);
+    }
+  else
+    {
+      g_test_skip ("Skipping test as testing undefined behaviour is disabled");
+    }
+}
+
+static void
+ test_to_array_two_refs (void)
+ {
+   gconstpointer memory;
+@@ -410,6 +442,7 @@ main (int argc, char *argv[])
+   g_test_add_func ("/bytes/to-array/transfered", test_to_array_transferred);
+   g_test_add_func ("/bytes/to-array/two-refs", test_to_array_two_refs);
+   g_test_add_func ("/bytes/to-array/non-malloc", test_to_array_non_malloc);
+  g_test_add_func ("/bytes/to-array/transferred/oversize", test_to_array_transferred_oversize);
+   g_test_add_func ("/bytes/null", test_null);
+ 
+   return g_test_run ();

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch new file mode 100644 index 0000000000..6257763d8d --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch
@@ -0,0 +1,129 @@
	1	Backport of:
	2
	3	From 0f384c88a241bbbd884487b1c40b7b75f1e638d3 Mon Sep 17 00:00:00 2001
	4	From: Krzesimir Nowak <qdlacz@gmail.com>
	5	Date: Wed, 10 Feb 2021 23:51:07 +0100
	6	Subject: [PATCH] gbytearray: Do not accept too large byte arrays
	7
	8	GByteArray uses guint for storing the length of the byte array, but it
	9	also has a constructor (g_byte_array_new_take) that takes length as a
	10	gsize. gsize may be larger than guint (64 bits for gsize vs 32 bits
	11	for guint). It is possible to call the function with a value greater
	12	than G_MAXUINT, which will result in silent length truncation. This
	13	may happen as a result of unreffing GBytes into GByteArray, so rather
	14	be loud about it.
	15
	16	(Test case tweaked by Philip Withnall.)
	17
	18	(Backport 2.66: Add #include gstrfuncsprivate.h in the test case for
	19	`g_memdup2()`.)
	20
	21	Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
	22	CVE: CVE-2021-27218
	23	Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
	24	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
	25
	26	---
	27	glib/garray.c \| 6 ++++++
	28	glib/gbytes.c \| 4 ++++
	29	glib/tests/bytes.c \| 35 ++++++++++++++++++++++++++++++++++-
	30	3 files changed, 44 insertions(+), 1 deletion(-)
	31
	32	--- a/glib/garray.c
	33	+++ b/glib/garray.c
	34	@@ -2234,6 +2234,10 @@ g_byte_array_steal (GByteArray *array,
	35	* Create byte array containing the data. The data will be owned by the array
	36	* and will be freed with g_free(), i.e. it could be allocated using g_strdup().
	37	*
	38	+ * Do not use it if @len is greater than %G_MAXUINT. #GByteArray
	39	+ * stores the length of its data in #guint, which may be shorter than
	40	+ * #gsize.
	41	+ *
	42	* Since: 2.32
	43	*
	44	* Returns: (transfer full): a new #GByteArray
	45	@@ -2245,6 +2249,8 @@ g_byte_array_new_take (guint8 *data,
	46	GByteArray *array;
	47	GRealArray *real;
	48
	49	+ g_return_val_if_fail (len <= G_MAXUINT, NULL);
	50	+
	51	array = g_byte_array_new ();
	52	real = (GRealArray *)array;
	53	g_assert (real->data == NULL);
	54	--- a/glib/gbytes.c
	55	+++ b/glib/gbytes.c
	56	@@ -519,6 +519,10 @@ g_bytes_unref_to_data (GBytes *bytes,
	57	* g_bytes_new(), g_bytes_new_take() or g_byte_array_free_to_bytes(). In all
	58	* other cases the data is copied.
	59	*
	60	+ * Do not use it if @bytes contains more than %G_MAXUINT
	61	+ * bytes. #GByteArray stores the length of its data in #guint, which
	62	+ * may be shorter than #gsize, that @bytes is using.
	63	+ *
	64	* Returns: (transfer full): a new mutable #GByteArray containing the same byte data
	65	*
	66	* Since: 2.32
	67	--- a/glib/tests/bytes.c
	68	+++ b/glib/tests/bytes.c
	69	@@ -10,12 +10,12 @@
	70	*/
	71
	72	#undef G_DISABLE_ASSERT
	73	-#undef G_LOG_DOMAIN
	74
	75	#include <stdio.h>
	76	#include <stdlib.h>
	77	#include <string.h>
	78	#include "glib.h"
	79	+#include "glib/gstrfuncsprivate.h"
	80
	81	/* Keep in sync with glib/gbytes.c */
	82	struct _GBytes
	83	@@ -334,6 +334,38 @@ test_to_array_transferred (void)
	84	}
	85
	86	static void
	87	+test_to_array_transferred_oversize (void)
	88	+{
	89	+ g_test_message ("g_bytes_unref_to_array() can only take GBytes up to "
	90	+ "G_MAXUINT in length; test that longer ones are rejected");
	91	+
	92	+ if (sizeof (guint) >= sizeof (gsize))
	93	+ {
	94	+ g_test_skip ("Skipping test as guint is not smaller than gsize");
	95	+ }
	96	+ else if (g_test_undefined ())
	97	+ {
	98	+ GByteArray *array = NULL;
	99	+ GBytes *bytes = NULL;
	100	+ gpointer data = g_memdup2 (NYAN, N_NYAN);
	101	+ gsize len = ((gsize) G_MAXUINT) + 1;
	102	+
	103	+ bytes = g_bytes_new_take (data, len);
	104	+ g_test_expect_message (G_LOG_DOMAIN, G_LOG_LEVEL_CRITICAL,
	105	+ "g_byte_array_new_take: assertion 'len <= G_MAXUINT' failed");
	106	+ array = g_bytes_unref_to_array (g_steal_pointer (&bytes));
	107	+ g_test_assert_expected_messages ();
	108	+ g_assert_null (array);
	109	+
	110	+ g_free (data);
	111	+ }
	112	+ else
	113	+ {
	114	+ g_test_skip ("Skipping test as testing undefined behaviour is disabled");
	115	+ }
	116	+}
	117	+
	118	+static void
	119	test_to_array_two_refs (void)
	120	{
	121	gconstpointer memory;
	122	@@ -410,6 +442,7 @@ main (int argc, char *argv[])
	123	g_test_add_func ("/bytes/to-array/transfered", test_to_array_transferred);
	124	g_test_add_func ("/bytes/to-array/two-refs", test_to_array_two_refs);
	125	g_test_add_func ("/bytes/to-array/non-malloc", test_to_array_non_malloc);
	126	+ g_test_add_func ("/bytes/to-array/transferred/oversize", test_to_array_transferred_oversize);
	127	g_test_add_func ("/bytes/null", test_null);
	128
	129	return g_test_run ();