1 files changed, 210 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch
new file mode 100644
index 0000000000..0e96b8d457
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch
@@ -0,0 +1,210 @@
+From 446e69f5edd72deb2196dee36bbaf8056caf6948 Mon Sep 17 00:00:00 2001
+From: William Manley <will@stb-tester.com>
+Date: Wed, 9 Aug 2023 10:39:34 +0000
+Subject: [PATCH] gvariant-serialiser: Factor out functions for dealing with
+ framing offsets
+This introduces no functional changes.
+Helps: #2121
+CVE: CVE-2023-32665
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/446e69f5edd72deb2196dee36bbaf8056caf6948]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ glib/gvariant-serialiser.c | 108 +++++++++++++++++++------------------
+ 1 file changed, 57 insertions(+), 51 deletions(-)
+diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
+index 83e9d85..c7c2114 100644
+--- a/glib/gvariant-serialiser.c
+++ b/glib/gvariant-serialiser.c
+@@ -633,30 +633,62 @@ gvs_calculate_total_size (gsize body_size,
+   return body_size + 8 * offsets;
+ }
+ 
+struct Offsets
+{
+  gsize     data_size;
+
+  guchar   *array;
+  gsize     length;
+  guint     offset_size;
+
+  gboolean  is_normal;
+};
+
+ static gsize
+-gvs_variable_sized_array_n_children (GVariantSerialised value)
+gvs_offsets_get_offset_n (struct Offsets *offsets,
+                          gsize           n)
+{
+  return gvs_read_unaligned_le (
+      offsets->array + (offsets->offset_size * n), offsets->offset_size);
+}
+
+static struct Offsets
+gvs_variable_sized_array_get_frame_offsets (GVariantSerialised value)
+ {
+  struct Offsets out = { 0, };
+   gsize offsets_array_size;
+-  gsize offset_size;
+   gsize last_end;
+ 
+   if (value.size == 0)
+-    return 0;
+-
+-  offset_size = gvs_get_offset_size (value.size);
+    {
+      out.is_normal = TRUE;
+      return out;
+    }
+ 
+-  last_end = gvs_read_unaligned_le (value.data + value.size -
+-                                    offset_size, offset_size);
+  out.offset_size = gvs_get_offset_size (value.size);
+  last_end = gvs_read_unaligned_le (value.data + value.size - out.offset_size,
+                                    out.offset_size);
+ 
+   if (last_end > value.size)
+-    return 0;
+    return out;  /* offsets not normal */
+ 
+   offsets_array_size = value.size - last_end;
+ 
+-  if (offsets_array_size % offset_size)
+-    return 0;
+  if (offsets_array_size % out.offset_size)
+    return out;  /* offsets not normal */
+
+  out.data_size = last_end;
+  out.array = value.data + last_end;
+  out.length = offsets_array_size / out.offset_size;
+  out.is_normal = TRUE;
+ 
+-  return offsets_array_size / offset_size;
+  return out;
+}
+
+static gsize
+gvs_variable_sized_array_n_children (GVariantSerialised value)
+{
+  return gvs_variable_sized_array_get_frame_offsets (value).length;
+ }
+ 
+ static GVariantSerialised
+@@ -664,8 +696,9 @@ gvs_variable_sized_array_get_child (GVariantSerialised value,
+                                     gsize              index_)
+ {
+   GVariantSerialised child = { 0, };
+-  gsize offset_size;
+-  gsize last_end;
+
+  struct Offsets offsets = gvs_variable_sized_array_get_frame_offsets (value);
+
+   gsize start;
+   gsize end;
+ 
+@@ -673,18 +706,11 @@ gvs_variable_sized_array_get_child (GVariantSerialised value,
+   g_variant_type_info_ref (child.type_info);
+   child.depth = value.depth + 1;
+ 
+-  offset_size = gvs_get_offset_size (value.size);
+-
+-  last_end = gvs_read_unaligned_le (value.data + value.size -
+-                                    offset_size, offset_size);
+-
+   if (index_ > 0)
+     {
+       guint alignment;
+ 
+-      start = gvs_read_unaligned_le (value.data + last_end +
+-                                     (offset_size * (index_ - 1)),
+-                                     offset_size);
+      start = gvs_offsets_get_offset_n (&offsets, index_ - 1);
+ 
+       g_variant_type_info_query (child.type_info, &alignment, NULL);
+       start += (-start) & alignment;
+@@ -692,11 +718,9 @@ gvs_variable_sized_array_get_child (GVariantSerialised value,
+   else
+     start = 0;
+ 
+-  end = gvs_read_unaligned_le (value.data + last_end +
+-                               (offset_size * index_),
+-                               offset_size);
+  end = gvs_offsets_get_offset_n (&offsets, index_);
+ 
+-  if (start < end && end <= value.size && end <= last_end)
+  if (start < end && end <= value.size && end <= offsets.data_size)
+     {
+       child.data = value.data + start;
+       child.size = end - start;
+@@ -768,34 +792,16 @@ static gboolean
+ gvs_variable_sized_array_is_normal (GVariantSerialised value)
+ {
+   GVariantSerialised child = { 0, };
+-  gsize offsets_array_size;
+-  guchar *offsets_array;
+-  guint offset_size;
+   guint alignment;
+-  gsize last_end;
+-  gsize length;
+   gsize offset;
+   gsize i;
+ 
+-  if (value.size == 0)
+-    return TRUE;
+-
+-  offset_size = gvs_get_offset_size (value.size);
+-  last_end = gvs_read_unaligned_le (value.data + value.size -
+-                                    offset_size, offset_size);
+  struct Offsets offsets = gvs_variable_sized_array_get_frame_offsets (value);
+ 
+-  if (last_end > value.size)
+  if (!offsets.is_normal)
+     return FALSE;
+ 
+-  offsets_array_size = value.size - last_end;
+-
+-  if (offsets_array_size % offset_size)
+-    return FALSE;
+-
+-  offsets_array = value.data + value.size - offsets_array_size;
+-  length = offsets_array_size / offset_size;
+-
+-  if (length == 0)
+  if (value.size != 0 && offsets.length == 0)
+     return FALSE;
+ 
+   child.type_info = g_variant_type_info_element (value.type_info);
+@@ -803,14 +809,14 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
+   child.depth = value.depth + 1;
+   offset = 0;
+ 
+-  for (i = 0; i < length; i++)
+  for (i = 0; i < offsets.length; i++)
+     {
+       gsize this_end;
+ 
+-      this_end = gvs_read_unaligned_le (offsets_array + offset_size * i,
+-                                        offset_size);
+      this_end = gvs_read_unaligned_le (offsets.array + offsets.offset_size * i,
+                                        offsets.offset_size);
+ 
+-      if (this_end < offset || this_end > last_end)
+      if (this_end < offset || this_end > offsets.data_size)
+         return FALSE;
+ 
+       while (offset & alignment)
+@@ -832,7 +838,7 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
+       offset = this_end;
+     }
+ 
+-  g_assert (offset == last_end);
+  g_assert (offset == offsets.data_size);
+ 
+   return TRUE;
+ }
+-- 
+2.24.4

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch new file mode 100644 index 0000000000..0e96b8d457 --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch
@@ -0,0 +1,210 @@
	1	From 446e69f5edd72deb2196dee36bbaf8056caf6948 Mon Sep 17 00:00:00 2001
	2	From: William Manley <will@stb-tester.com>
	3	Date: Wed, 9 Aug 2023 10:39:34 +0000
	4	Subject: [PATCH] gvariant-serialiser: Factor out functions for dealing with
	5	framing offsets
	6
	7	This introduces no functional changes.
	8
	9	Helps: #2121
	10
	11	CVE: CVE-2023-32665
	12	Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/446e69f5edd72deb2196dee36bbaf8056caf6948]
	13	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
	14	---
	15	glib/gvariant-serialiser.c \| 108 +++++++++++++++++++------------------
	16	1 file changed, 57 insertions(+), 51 deletions(-)
	17
	18	diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
	19	index 83e9d85..c7c2114 100644
	20	--- a/glib/gvariant-serialiser.c
	21	+++ b/glib/gvariant-serialiser.c
	22	@@ -633,30 +633,62 @@ gvs_calculate_total_size (gsize body_size,
	23	return body_size + 8 * offsets;
	24	}
	25
	26	+struct Offsets
	27	+{
	28	+ gsize data_size;
	29	+
	30	+ guchar *array;
	31	+ gsize length;
	32	+ guint offset_size;
	33	+
	34	+ gboolean is_normal;
	35	+};
	36	+
	37	static gsize
	38	-gvs_variable_sized_array_n_children (GVariantSerialised value)
	39	+gvs_offsets_get_offset_n (struct Offsets *offsets,
	40	+ gsize n)
	41	+{
	42	+ return gvs_read_unaligned_le (
	43	+ offsets->array + (offsets->offset_size * n), offsets->offset_size);
	44	+}
	45	+
	46	+static struct Offsets
	47	+gvs_variable_sized_array_get_frame_offsets (GVariantSerialised value)
	48	{
	49	+ struct Offsets out = { 0, };
	50	gsize offsets_array_size;
	51	- gsize offset_size;
	52	gsize last_end;
	53
	54	if (value.size == 0)
	55	- return 0;
	56	-
	57	- offset_size = gvs_get_offset_size (value.size);
	58	+ {
	59	+ out.is_normal = TRUE;
	60	+ return out;
	61	+ }
	62
	63	- last_end = gvs_read_unaligned_le (value.data + value.size -
	64	- offset_size, offset_size);
	65	+ out.offset_size = gvs_get_offset_size (value.size);
	66	+ last_end = gvs_read_unaligned_le (value.data + value.size - out.offset_size,
	67	+ out.offset_size);
	68
	69	if (last_end > value.size)
	70	- return 0;
	71	+ return out; /* offsets not normal */
	72
	73	offsets_array_size = value.size - last_end;
	74
	75	- if (offsets_array_size % offset_size)
	76	- return 0;
	77	+ if (offsets_array_size % out.offset_size)
	78	+ return out; /* offsets not normal */
	79	+
	80	+ out.data_size = last_end;
	81	+ out.array = value.data + last_end;
	82	+ out.length = offsets_array_size / out.offset_size;
	83	+ out.is_normal = TRUE;
	84
	85	- return offsets_array_size / offset_size;
	86	+ return out;
	87	+}
	88	+
	89	+static gsize
	90	+gvs_variable_sized_array_n_children (GVariantSerialised value)
	91	+{
	92	+ return gvs_variable_sized_array_get_frame_offsets (value).length;
	93	}
	94
	95	static GVariantSerialised
	96	@@ -664,8 +696,9 @@ gvs_variable_sized_array_get_child (GVariantSerialised value,
	97	gsize index_)
	98	{
	99	GVariantSerialised child = { 0, };
	100	- gsize offset_size;
	101	- gsize last_end;
	102	+
	103	+ struct Offsets offsets = gvs_variable_sized_array_get_frame_offsets (value);
	104	+
	105	gsize start;
	106	gsize end;
	107
	108	@@ -673,18 +706,11 @@ gvs_variable_sized_array_get_child (GVariantSerialised value,
	109	g_variant_type_info_ref (child.type_info);
	110	child.depth = value.depth + 1;
	111
	112	- offset_size = gvs_get_offset_size (value.size);
	113	-
	114	- last_end = gvs_read_unaligned_le (value.data + value.size -
	115	- offset_size, offset_size);
	116	-
	117	if (index_ > 0)
	118	{
	119	guint alignment;
	120
	121	- start = gvs_read_unaligned_le (value.data + last_end +
	122	- (offset_size * (index_ - 1)),
	123	- offset_size);
	124	+ start = gvs_offsets_get_offset_n (&offsets, index_ - 1);
	125
	126	g_variant_type_info_query (child.type_info, &alignment, NULL);
	127	start += (-start) & alignment;
	128	@@ -692,11 +718,9 @@ gvs_variable_sized_array_get_child (GVariantSerialised value,
	129	else
	130	start = 0;
	131
	132	- end = gvs_read_unaligned_le (value.data + last_end +
	133	- (offset_size * index_),
	134	- offset_size);
	135	+ end = gvs_offsets_get_offset_n (&offsets, index_);
	136
	137	- if (start < end && end <= value.size && end <= last_end)
	138	+ if (start < end && end <= value.size && end <= offsets.data_size)
	139	{
	140	child.data = value.data + start;
	141	child.size = end - start;
	142	@@ -768,34 +792,16 @@ static gboolean
	143	gvs_variable_sized_array_is_normal (GVariantSerialised value)
	144	{
	145	GVariantSerialised child = { 0, };
	146	- gsize offsets_array_size;
	147	- guchar *offsets_array;
	148	- guint offset_size;
	149	guint alignment;
	150	- gsize last_end;
	151	- gsize length;
	152	gsize offset;
	153	gsize i;
	154
	155	- if (value.size == 0)
	156	- return TRUE;
	157	-
	158	- offset_size = gvs_get_offset_size (value.size);
	159	- last_end = gvs_read_unaligned_le (value.data + value.size -
	160	- offset_size, offset_size);
	161	+ struct Offsets offsets = gvs_variable_sized_array_get_frame_offsets (value);
	162
	163	- if (last_end > value.size)
	164	+ if (!offsets.is_normal)
	165	return FALSE;
	166
	167	- offsets_array_size = value.size - last_end;
	168	-
	169	- if (offsets_array_size % offset_size)
	170	- return FALSE;
	171	-
	172	- offsets_array = value.data + value.size - offsets_array_size;
	173	- length = offsets_array_size / offset_size;
	174	-
	175	- if (length == 0)
	176	+ if (value.size != 0 && offsets.length == 0)
	177	return FALSE;
	178
	179	child.type_info = g_variant_type_info_element (value.type_info);
	180	@@ -803,14 +809,14 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
	181	child.depth = value.depth + 1;
	182	offset = 0;
	183
	184	- for (i = 0; i < length; i++)
	185	+ for (i = 0; i < offsets.length; i++)
	186	{
	187	gsize this_end;
	188
	189	- this_end = gvs_read_unaligned_le (offsets_array + offset_size * i,
	190	- offset_size);
	191	+ this_end = gvs_read_unaligned_le (offsets.array + offsets.offset_size * i,
	192	+ offsets.offset_size);
	193
	194	- if (this_end < offset \|\| this_end > last_end)
	195	+ if (this_end < offset \|\| this_end > offsets.data_size)
	196	return FALSE;
	197
	198	while (offset & alignment)
	199	@@ -832,7 +838,7 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
	200	offset = this_end;
	201	}
	202
	203	- g_assert (offset == last_end);
	204	+ g_assert (offset == offsets.data_size);
	205
	206	return TRUE;
	207	}
	208	--
	209	2.24.4
	210