summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch')
-rw-r--r--meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch298
1 files changed, 298 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch
new file mode 100644
index 0000000000..6a3ac6b552
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch
@@ -0,0 +1,298 @@
1Backport of:
2
3From 0736b7c1e7cf4232c5d7eb2b0fbfe9be81bd3baa Mon Sep 17 00:00:00 2001
4From: Philip Withnall <pwithnall@endlessos.org>
5Date: Thu, 4 Feb 2021 13:41:21 +0000
6Subject: [PATCH 04/11] glib: Use g_memdup2() instead of g_memdup() in obvious
7 places
8MIME-Version: 1.0
9Content-Type: text/plain; charset=UTF-8
10Content-Transfer-Encoding: 8bit
11
12Convert all the call sites which use `g_memdup()`’s length argument
13trivially (for example, by passing a `sizeof()` or an existing `gsize`
14variable), so that they use `g_memdup2()` instead.
15
16In almost all of these cases the use of `g_memdup()` would not have
17caused problems, but it will soon be deprecated, so best port away from
18it
19
20In particular, this fixes an overflow within `g_bytes_new()`, identified
21as GHSL-2021-045 by GHSL team member Kevin Backhouse.
22
23Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
24Fixes: GHSL-2021-045
25Helps: #2319
26
27Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
28CVE: CVE-2021-27219
29Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
30Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
31
32---
33 glib/gbytes.c | 6 ++++--
34 glib/gdir.c | 3 ++-
35 glib/ghash.c | 7 ++++---
36 glib/giochannel.c | 5 +++--
37 glib/gslice.c | 3 ++-
38 glib/gtestutils.c | 3 ++-
39 glib/gvariant.c | 7 ++++---
40 glib/gvarianttype.c | 3 ++-
41 glib/tests/array-test.c | 4 +++-
42 glib/tests/option-context.c | 6 ++++--
43 glib/tests/uri.c | 8 +++++---
44 11 files changed, 35 insertions(+), 20 deletions(-)
45
46--- a/glib/gbytes.c
47+++ b/glib/gbytes.c
48@@ -34,6 +34,8 @@
49
50 #include <string.h>
51
52+#include "gstrfuncsprivate.h"
53+
54 /**
55 * GBytes:
56 *
57@@ -95,7 +97,7 @@ g_bytes_new (gconstpointer data,
58 {
59 g_return_val_if_fail (data != NULL || size == 0, NULL);
60
61- return g_bytes_new_take (g_memdup (data, size), size);
62+ return g_bytes_new_take (g_memdup2 (data, size), size);
63 }
64
65 /**
66@@ -499,7 +501,7 @@ g_bytes_unref_to_data (GBytes *bytes,
67 * Copy: Non g_malloc (or compatible) allocator, or static memory,
68 * so we have to copy, and then unref.
69 */
70- result = g_memdup (bytes->data, bytes->size);
71+ result = g_memdup2 (bytes->data, bytes->size);
72 *size = bytes->size;
73 g_bytes_unref (bytes);
74 }
75--- a/glib/gdir.c
76+++ b/glib/gdir.c
77@@ -37,6 +37,7 @@
78 #include "gconvert.h"
79 #include "gfileutils.h"
80 #include "gstrfuncs.h"
81+#include "gstrfuncsprivate.h"
82 #include "gtestutils.h"
83 #include "glibintl.h"
84
85@@ -112,7 +113,7 @@ g_dir_open_with_errno (const gchar *path
86 return NULL;
87 #endif
88
89- return g_memdup (&dir, sizeof dir);
90+ return g_memdup2 (&dir, sizeof dir);
91 }
92
93 /**
94--- a/glib/ghash.c
95+++ b/glib/ghash.c
96@@ -34,6 +34,7 @@
97 #include "gmacros.h"
98 #include "glib-private.h"
99 #include "gstrfuncs.h"
100+#include "gstrfuncsprivate.h"
101 #include "gatomic.h"
102 #include "gtestutils.h"
103 #include "gslice.h"
104@@ -962,7 +963,7 @@ g_hash_table_ensure_keyval_fits (GHashTa
105 if (hash_table->have_big_keys)
106 {
107 if (key != value)
108- hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size);
109+ hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size);
110 /* Keys and values are both big now, so no need for further checks */
111 return;
112 }
113@@ -970,7 +971,7 @@ g_hash_table_ensure_keyval_fits (GHashTa
114 {
115 if (key != value)
116 {
117- hash_table->values = g_memdup (hash_table->keys, sizeof (guint) * hash_table->size);
118+ hash_table->values = g_memdup2 (hash_table->keys, sizeof (guint) * hash_table->size);
119 is_a_set = FALSE;
120 }
121 }
122@@ -998,7 +999,7 @@ g_hash_table_ensure_keyval_fits (GHashTa
123
124 /* Just split if necessary */
125 if (is_a_set && key != value)
126- hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size);
127+ hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size);
128
129 #endif
130 }
131--- a/glib/giochannel.c
132+++ b/glib/giochannel.c
133@@ -35,7 +35,7 @@
134 #include <errno.h>
135
136 #include "giochannel.h"
137-
138+#include "gstrfuncsprivate.h"
139 #include "gstrfuncs.h"
140 #include "gtestutils.h"
141 #include "glibintl.h"
142
143@@ -1673,10 +1674,10 @@ g_io_channel_read_line (GIOChannel *cha
144
145 /* Copy the read bytes (including any embedded nuls) and nul-terminate.
146 * `USE_BUF (channel)->str` is guaranteed to be nul-terminated as it’s a
147- * #GString, so it’s safe to call g_memdup() with +1 length to allocate
148+ * #GString, so it’s safe to call g_memdup2() with +1 length to allocate
149 * a nul-terminator. */
150 g_assert (USE_BUF (channel));
151- line = g_memdup (USE_BUF (channel)->str, got_length + 1);
152+ line = g_memdup2 (USE_BUF (channel)->str, got_length + 1);
153 line[got_length] = '\0';
154 *str_return = g_steal_pointer (&line);
155 g_string_erase (USE_BUF (channel), 0, got_length);
156--- a/glib/gslice.c
157+++ b/glib/gslice.c
158@@ -41,6 +41,7 @@
159 #include "gmain.h"
160 #include "gmem.h" /* gslice.h */
161 #include "gstrfuncs.h"
162+#include "gstrfuncsprivate.h"
163 #include "gutils.h"
164 #include "gtrashstack.h"
165 #include "gtestutils.h"
166@@ -350,7 +351,7 @@ g_slice_get_config_state (GSliceConfig c
167 array[i++] = allocator->contention_counters[address];
168 array[i++] = allocator_get_magazine_threshold (allocator, address);
169 *n_values = i;
170- return g_memdup (array, sizeof (array[0]) * *n_values);
171+ return g_memdup2 (array, sizeof (array[0]) * *n_values);
172 default:
173 return NULL;
174 }
175--- a/glib/gtestutils.c
176+++ b/glib/gtestutils.c
177@@ -49,6 +49,7 @@
178 #include "gpattern.h"
179 #include "grand.h"
180 #include "gstrfuncs.h"
181+#include "gstrfuncsprivate.h"
182 #include "gtimer.h"
183 #include "gslice.h"
184 #include "gspawn.h"
185@@ -3803,7 +3804,7 @@ g_test_log_extract (GTestLogBuffer *tbuf
186 if (p <= tbuffer->data->str + mlength)
187 {
188 g_string_erase (tbuffer->data, 0, mlength);
189- tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup (&msg, sizeof (msg)));
190+ tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup2 (&msg, sizeof (msg)));
191 return TRUE;
192 }
193
194--- a/glib/gvariant.c
195+++ b/glib/gvariant.c
196@@ -33,6 +33,7 @@
197
198 #include <string.h>
199
200+#include "gstrfuncsprivate.h"
201
202 /**
203 * SECTION:gvariant
204@@ -725,7 +726,7 @@ g_variant_new_variant (GVariant *value)
205 g_variant_ref_sink (value);
206
207 return g_variant_new_from_children (G_VARIANT_TYPE_VARIANT,
208- g_memdup (&value, sizeof value),
209+ g_memdup2 (&value, sizeof value),
210 1, g_variant_is_trusted (value));
211 }
212
213@@ -1229,7 +1230,7 @@ g_variant_new_fixed_array (const GVarian
214 return NULL;
215 }
216
217- data = g_memdup (elements, n_elements * element_size);
218+ data = g_memdup2 (elements, n_elements * element_size);
219 value = g_variant_new_from_data (array_type, data,
220 n_elements * element_size,
221 FALSE, g_free, data);
222@@ -1908,7 +1909,7 @@ g_variant_dup_bytestring (GVariant *valu
223 if (length)
224 *length = size;
225
226- return g_memdup (original, size + 1);
227+ return g_memdup2 (original, size + 1);
228 }
229
230 /**
231--- a/glib/gvarianttype.c
232+++ b/glib/gvarianttype.c
233@@ -28,6 +28,7 @@
234
235 #include <string.h>
236
237+#include "gstrfuncsprivate.h"
238
239 /**
240 * SECTION:gvarianttype
241@@ -1181,7 +1182,7 @@ g_variant_type_new_tuple (const GVariant
242 g_assert (offset < sizeof buffer);
243 buffer[offset++] = ')';
244
245- return (GVariantType *) g_memdup (buffer, offset);
246+ return (GVariantType *) g_memdup2 (buffer, offset);
247 }
248
249 /**
250--- a/glib/tests/array-test.c
251+++ b/glib/tests/array-test.c
252@@ -29,6 +29,8 @@
253 #include <string.h>
254 #include "glib.h"
255
256+#include "gstrfuncsprivate.h"
257+
258 /* Test data to be passed to any function which calls g_array_new(), providing
259 * the parameters for that call. Most #GArray tests should be repeated for all
260 * possible values of #ArrayTestData. */
261@@ -1917,7 +1919,7 @@ byte_array_new_take (void)
262 GByteArray *gbarray;
263 guint8 *data;
264
265- data = g_memdup ("woooweeewow", 11);
266+ data = g_memdup2 ("woooweeewow", 11);
267 gbarray = g_byte_array_new_take (data, 11);
268 g_assert (gbarray->data == data);
269 g_assert_cmpuint (gbarray->len, ==, 11);
270--- a/glib/tests/option-context.c
271+++ b/glib/tests/option-context.c
272@@ -27,6 +27,8 @@
273 #include <string.h>
274 #include <locale.h>
275
276+#include "gstrfuncsprivate.h"
277+
278 static GOptionEntry main_entries[] = {
279 { "main-switch", 0, 0,
280 G_OPTION_ARG_NONE, NULL,
281@@ -256,7 +258,7 @@ join_stringv (int argc, char **argv)
282 static char **
283 copy_stringv (char **argv, int argc)
284 {
285- return g_memdup (argv, sizeof (char *) * (argc + 1));
286+ return g_memdup2 (argv, sizeof (char *) * (argc + 1));
287 }
288
289 static void
290@@ -2323,7 +2325,7 @@ test_group_parse (void)
291 g_option_context_add_group (context, group);
292
293 argv = split_string ("program --test arg1 -f arg2 --group-test arg3 --frob arg4 -z arg5", &argc);
294- orig_argv = g_memdup (argv, (argc + 1) * sizeof (char *));
295+ orig_argv = g_memdup2 (argv, (argc + 1) * sizeof (char *));
296
297 retval = g_option_context_parse (context, &argc, &argv, &error);
298