1 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0004.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0004.patch
new file mode 100644
index 0000000000..c057729aae
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0004.patch
@@ -0,0 +1,113 @@
+From 345cae9c1aa7bf6752039225ef4c8d8d69fa8d76 Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Fri, 11 Aug 2023 04:09:12 +0000
+Subject: [PATCH] gvariant-serialiser: Factor out code to get bounds of a tuple
+ member
+This introduces no functional changes.
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+Helps: #2121
+CVE: CVE-2023-32665
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/345cae9c1aa7bf6752039225ef4c8d8d69fa8d76]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ glib/gvariant-serialiser.c | 73 ++++++++++++++++++++++++--------------
+ 1 file changed, 46 insertions(+), 27 deletions(-)
+diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
+index fe0b1a4..6f9b366 100644
+--- a/glib/gvariant-serialiser.c
+++ b/glib/gvariant-serialiser.c
+@@ -942,6 +942,51 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
+  * for the tuple.  See the notes in gvarianttypeinfo.h.
+  */
+ 
+static void
+gvs_tuple_get_member_bounds (GVariantSerialised  value,
+                             gsize               index_,
+                             gsize               offset_size,
+                             gsize              *out_member_start,
+                             gsize              *out_member_end)
+{
+  const GVariantMemberInfo *member_info;
+  gsize member_start, member_end;
+
+  member_info = g_variant_type_info_member_info (value.type_info, index_);
+
+  if (member_info->i + 1)
+    member_start = gvs_read_unaligned_le (value.data + value.size -
+                                          offset_size * (member_info->i + 1),
+                                          offset_size);
+  else
+    member_start = 0;
+
+  member_start += member_info->a;
+  member_start &= member_info->b;
+  member_start |= member_info->c;
+
+  if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_LAST)
+    member_end = value.size - offset_size * (member_info->i + 1);
+
+  else if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_FIXED)
+    {
+      gsize fixed_size;
+
+      g_variant_type_info_query (member_info->type_info, NULL, &fixed_size);
+      member_end = member_start + fixed_size;
+    }
+
+  else /* G_VARIANT_MEMBER_ENDING_OFFSET */
+    member_end = gvs_read_unaligned_le (value.data + value.size -
+                                        offset_size * (member_info->i + 2),
+                                        offset_size);
+
+  if (out_member_start != NULL)
+    *out_member_start = member_start;
+  if (out_member_end != NULL)
+    *out_member_end = member_end;
+}
+
+ static gsize
+ gvs_tuple_n_children (GVariantSerialised value)
+ {
+@@ -997,33 +1042,7 @@ gvs_tuple_get_child (GVariantSerialised value,
+         }
+     }
+ 
+-  if (member_info->i + 1)
+-    start = gvs_read_unaligned_le (value.data + value.size -
+-                                   offset_size * (member_info->i + 1),
+-                                   offset_size);
+-  else
+-    start = 0;
+-
+-  start += member_info->a;
+-  start &= member_info->b;
+-  start |= member_info->c;
+-
+-  if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_LAST)
+-    end = value.size - offset_size * (member_info->i + 1);
+-
+-  else if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_FIXED)
+-    {
+-      gsize fixed_size;
+-
+-      g_variant_type_info_query (child.type_info, NULL, &fixed_size);
+-      end = start + fixed_size;
+-      child.size = fixed_size;
+-    }
+-
+-  else /* G_VARIANT_MEMBER_ENDING_OFFSET */
+-    end = gvs_read_unaligned_le (value.data + value.size -
+-                                 offset_size * (member_info->i + 2),
+-                                 offset_size);
+  gvs_tuple_get_member_bounds (value, index_, offset_size, &start, &end);
+ 
+   /* The child should not extend into the offset table. */
+   if (index_ != g_variant_type_info_n_members (value.type_info) - 1)
+-- 
+2.24.4

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0004.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0004.patch new file mode 100644 index 0000000000..c057729aae --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0004.patch
@@ -0,0 +1,113 @@
	1	From 345cae9c1aa7bf6752039225ef4c8d8d69fa8d76 Sep 17 00:00:00 2001
	2	From: Philip Withnall <pwithnall@endlessos.org>
	3	Date: Fri, 11 Aug 2023 04:09:12 +0000
	4	Subject: [PATCH] gvariant-serialiser: Factor out code to get bounds of a tuple
	5	member
	6
	7	This introduces no functional changes.
	8
	9	Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
	10
	11	Helps: #2121
	12
	13	CVE: CVE-2023-32665
	14	Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/345cae9c1aa7bf6752039225ef4c8d8d69fa8d76]
	15	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
	16	---
	17	glib/gvariant-serialiser.c \| 73 ++++++++++++++++++++++++--------------
	18	1 file changed, 46 insertions(+), 27 deletions(-)
	19
	20	diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
	21	index fe0b1a4..6f9b366 100644
	22	--- a/glib/gvariant-serialiser.c
	23	+++ b/glib/gvariant-serialiser.c
	24	@@ -942,6 +942,51 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
	25	* for the tuple. See the notes in gvarianttypeinfo.h.
	26	*/
	27
	28	+static void
	29	+gvs_tuple_get_member_bounds (GVariantSerialised value,
	30	+ gsize index_,
	31	+ gsize offset_size,
	32	+ gsize *out_member_start,
	33	+ gsize *out_member_end)
	34	+{
	35	+ const GVariantMemberInfo *member_info;
	36	+ gsize member_start, member_end;
	37	+
	38	+ member_info = g_variant_type_info_member_info (value.type_info, index_);
	39	+
	40	+ if (member_info->i + 1)
	41	+ member_start = gvs_read_unaligned_le (value.data + value.size -
	42	+ offset_size * (member_info->i + 1),
	43	+ offset_size);
	44	+ else
	45	+ member_start = 0;
	46	+
	47	+ member_start += member_info->a;
	48	+ member_start &= member_info->b;
	49	+ member_start \|= member_info->c;
	50	+
	51	+ if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_LAST)
	52	+ member_end = value.size - offset_size * (member_info->i + 1);
	53	+
	54	+ else if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_FIXED)
	55	+ {
	56	+ gsize fixed_size;
	57	+
	58	+ g_variant_type_info_query (member_info->type_info, NULL, &fixed_size);
	59	+ member_end = member_start + fixed_size;
	60	+ }
	61	+
	62	+ else /* G_VARIANT_MEMBER_ENDING_OFFSET */
	63	+ member_end = gvs_read_unaligned_le (value.data + value.size -
	64	+ offset_size * (member_info->i + 2),
	65	+ offset_size);
	66	+
	67	+ if (out_member_start != NULL)
	68	+ *out_member_start = member_start;
	69	+ if (out_member_end != NULL)
	70	+ *out_member_end = member_end;
	71	+}
	72	+
	73	static gsize
	74	gvs_tuple_n_children (GVariantSerialised value)
	75	{
	76	@@ -997,33 +1042,7 @@ gvs_tuple_get_child (GVariantSerialised value,
	77	}
	78	}
	79
	80	- if (member_info->i + 1)
	81	- start = gvs_read_unaligned_le (value.data + value.size -
	82	- offset_size * (member_info->i + 1),
	83	- offset_size);
	84	- else
	85	- start = 0;
	86	-
	87	- start += member_info->a;
	88	- start &= member_info->b;
	89	- start \|= member_info->c;
	90	-
	91	- if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_LAST)
	92	- end = value.size - offset_size * (member_info->i + 1);
	93	-
	94	- else if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_FIXED)
	95	- {
	96	- gsize fixed_size;
	97	-
	98	- g_variant_type_info_query (child.type_info, NULL, &fixed_size);
	99	- end = start + fixed_size;
	100	- child.size = fixed_size;
	101	- }
	102	-
	103	- else /* G_VARIANT_MEMBER_ENDING_OFFSET */
	104	- end = gvs_read_unaligned_le (value.data + value.size -
	105	- offset_size * (member_info->i + 2),
	106	- offset_size);
	107	+ gvs_tuple_get_member_bounds (value, index_, offset_size, &start, &end);
	108
	109	/* The child should not extend into the offset table. */
	110	if (index_ != g_variant_type_info_n_members (value.type_info) - 1)
	111	--
	112	2.24.4
	113