diff options
Diffstat (limited to 'meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-06.patch')
-rw-r--r-- | meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-06.patch | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-06.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-06.patch new file mode 100644 index 0000000000..d8043f5e29 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-06.patch | |||
@@ -0,0 +1,101 @@ | |||
1 | From f9ee2275cbc312c0b4cdbc338a4fbb76eb36fb9a Mon Sep 17 00:00:00 2001 | ||
2 | From: Philip Withnall <pwithnall@endlessos.org> | ||
3 | Date: Thu, 4 Feb 2021 13:49:00 +0000 | ||
4 | Subject: [PATCH 06/11] gdatainputstream: Handle stop_chars_len internally as | ||
5 | gsize | ||
6 | |||
7 | Previously it was handled as a `gssize`, which meant that if the | ||
8 | `stop_chars` string was longer than `G_MAXSSIZE` there would be an | ||
9 | overflow. | ||
10 | |||
11 | Signed-off-by: Philip Withnall <pwithnall@endlessos.org> | ||
12 | Helps: #2319 | ||
13 | |||
14 | Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz] | ||
15 | CVE: CVE-2021-27219 | ||
16 | Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> | ||
17 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
18 | |||
19 | --- | ||
20 | gio/gdatainputstream.c | 25 +++++++++++++++++-------- | ||
21 | 1 file changed, 17 insertions(+), 8 deletions(-) | ||
22 | |||
23 | diff --git a/gio/gdatainputstream.c b/gio/gdatainputstream.c | ||
24 | index 2e7750cb5..2cdcbda19 100644 | ||
25 | --- a/gio/gdatainputstream.c | ||
26 | +++ b/gio/gdatainputstream.c | ||
27 | @@ -27,6 +27,7 @@ | ||
28 | #include "gioenumtypes.h" | ||
29 | #include "gioerror.h" | ||
30 | #include "glibintl.h" | ||
31 | +#include "gstrfuncsprivate.h" | ||
32 | |||
33 | #include <string.h> | ||
34 | |||
35 | @@ -856,7 +857,7 @@ static gssize | ||
36 | scan_for_chars (GDataInputStream *stream, | ||
37 | gsize *checked_out, | ||
38 | const char *stop_chars, | ||
39 | - gssize stop_chars_len) | ||
40 | + gsize stop_chars_len) | ||
41 | { | ||
42 | GBufferedInputStream *bstream; | ||
43 | const char *buffer; | ||
44 | @@ -952,7 +953,7 @@ typedef struct | ||
45 | gsize checked; | ||
46 | |||
47 | gchar *stop_chars; | ||
48 | - gssize stop_chars_len; | ||
49 | + gsize stop_chars_len; | ||
50 | gsize length; | ||
51 | } GDataInputStreamReadData; | ||
52 | |||
53 | @@ -1078,12 +1079,17 @@ g_data_input_stream_read_async (GDataInputStream *stream, | ||
54 | { | ||
55 | GDataInputStreamReadData *data; | ||
56 | GTask *task; | ||
57 | + gsize stop_chars_len_unsigned; | ||
58 | |||
59 | data = g_slice_new0 (GDataInputStreamReadData); | ||
60 | - if (stop_chars_len == -1) | ||
61 | - stop_chars_len = strlen (stop_chars); | ||
62 | - data->stop_chars = g_memdup (stop_chars, stop_chars_len); | ||
63 | - data->stop_chars_len = stop_chars_len; | ||
64 | + | ||
65 | + if (stop_chars_len < 0) | ||
66 | + stop_chars_len_unsigned = strlen (stop_chars); | ||
67 | + else | ||
68 | + stop_chars_len_unsigned = (gsize) stop_chars_len; | ||
69 | + | ||
70 | + data->stop_chars = g_memdup2 (stop_chars, stop_chars_len_unsigned); | ||
71 | + data->stop_chars_len = stop_chars_len_unsigned; | ||
72 | data->last_saw_cr = FALSE; | ||
73 | |||
74 | task = g_task_new (stream, cancellable, callback, user_data); | ||
75 | @@ -1338,17 +1344,20 @@ g_data_input_stream_read_upto (GDataInputStream *stream, | ||
76 | gssize found_pos; | ||
77 | gssize res; | ||
78 | char *data_until; | ||
79 | + gsize stop_chars_len_unsigned; | ||
80 | |||
81 | g_return_val_if_fail (G_IS_DATA_INPUT_STREAM (stream), NULL); | ||
82 | |||
83 | if (stop_chars_len < 0) | ||
84 | - stop_chars_len = strlen (stop_chars); | ||
85 | + stop_chars_len_unsigned = strlen (stop_chars); | ||
86 | + else | ||
87 | + stop_chars_len_unsigned = (gsize) stop_chars_len; | ||
88 | |||
89 | bstream = G_BUFFERED_INPUT_STREAM (stream); | ||
90 | |||
91 | checked = 0; | ||
92 | |||
93 | - while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len)) == -1) | ||
94 | + while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len_unsigned)) == -1) | ||
95 | { | ||
96 | if (g_buffered_input_stream_get_available (bstream) == | ||
97 | g_buffered_input_stream_get_buffer_size (bstream)) | ||
98 | -- | ||
99 | GitLab | ||
100 | |||
101 | |||