diff options
Diffstat (limited to 'meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-05.patch')
| -rw-r--r-- | meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-05.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-05.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-05.patch new file mode 100644 index 0000000000..4f86522d00 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-05.patch | |||
| @@ -0,0 +1,54 @@ | |||
| 1 | From 0cbad673215ec8a049b7fe2ff44b0beed31b376e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Philip Withnall <pwithnall@endlessos.org> | ||
| 3 | Date: Thu, 4 Feb 2021 16:12:24 +0000 | ||
| 4 | Subject: [PATCH 05/11] gwinhttpfile: Avoid arithmetic overflow when | ||
| 5 | calculating a size | ||
| 6 | MIME-Version: 1.0 | ||
| 7 | Content-Type: text/plain; charset=UTF-8 | ||
| 8 | Content-Transfer-Encoding: 8bit | ||
| 9 | |||
| 10 | The members of `URL_COMPONENTS` (`winhttp_file->url`) are `DWORD`s, i.e. | ||
| 11 | 32-bit unsigned integers. Adding to and multiplying them may cause them | ||
| 12 | to overflow the unsigned integer bounds, even if the result is passed to | ||
| 13 | `g_memdup2()` which accepts a `gsize`. | ||
| 14 | |||
| 15 | Cast the `URL_COMPONENTS` members to `gsize` first to ensure that the | ||
| 16 | arithmetic is done in terms of `gsize`s rather than unsigned integers. | ||
| 17 | |||
| 18 | Spotted by Sebastian Dröge. | ||
| 19 | |||
| 20 | Signed-off-by: Philip Withnall <pwithnall@endlessos.org> | ||
| 21 | Helps: #2319 | ||
| 22 | |||
| 23 | Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz] | ||
| 24 | CVE: CVE-2021-27219 | ||
| 25 | Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> | ||
| 26 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
| 27 | |||
| 28 | --- | ||
| 29 | gio/win32/gwinhttpfile.c | 8 ++++---- | ||
| 30 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
| 31 | |||
| 32 | diff --git a/gio/win32/gwinhttpfile.c b/gio/win32/gwinhttpfile.c | ||
| 33 | index 3f8fbd838..e0340e247 100644 | ||
| 34 | --- a/gio/win32/gwinhttpfile.c | ||
| 35 | +++ b/gio/win32/gwinhttpfile.c | ||
| 36 | @@ -410,10 +410,10 @@ g_winhttp_file_resolve_relative_path (GFile *file, | ||
| 37 | child = g_object_new (G_TYPE_WINHTTP_FILE, NULL); | ||
| 38 | child->vfs = winhttp_file->vfs; | ||
| 39 | child->url = winhttp_file->url; | ||
| 40 | - child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2); | ||
| 41 | - child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2); | ||
| 42 | - child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2); | ||
| 43 | - child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2); | ||
| 44 | + child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, ((gsize) winhttp_file->url.dwSchemeLength + 1) * 2); | ||
| 45 | + child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, ((gsize) winhttp_file->url.dwHostNameLength + 1) * 2); | ||
| 46 | + child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, ((gsize) winhttp_file->url.dwUserNameLength + 1) * 2); | ||
| 47 | + child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, ((gsize) winhttp_file->url.dwPasswordLength + 1) * 2); | ||
| 48 | child->url.lpszUrlPath = wnew_path; | ||
| 49 | child->url.dwUrlPathLength = wcslen (wnew_path); | ||
| 50 | child->url.lpszExtraInfo = NULL; | ||
| 51 | -- | ||
| 52 | GitLab | ||
| 53 | |||
| 54 | |||