diff options
Diffstat (limited to 'meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0005.patch')
-rw-r--r-- | meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0005.patch | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0005.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0005.patch new file mode 100644 index 0000000000..7e516b07ab --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0005.patch | |||
@@ -0,0 +1,80 @@ | |||
1 | From 73d0aa81c2575a5c9ae77dcb94da919579014fc0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Philip Withnall <pwithnall@endlessos.org> | ||
3 | Date: Fri, 11 Aug 2023 04:13:02 +0000 | ||
4 | Subject: [PATCH] gvariant-serialiser: Rework child size calculation | ||
5 | |||
6 | This reduces a few duplicate calls to `g_variant_type_info_query()` and | ||
7 | explains why they’re needed. | ||
8 | |||
9 | Signed-off-by: Philip Withnall <pwithnall@endlessos.org> | ||
10 | |||
11 | Helps: #2121 | ||
12 | |||
13 | CVE: CVE-2023-32665 | ||
14 | Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/73d0aa81c2575a5c9ae77dcb94da919579014fc0] | ||
15 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
16 | --- | ||
17 | glib/gvariant-serialiser.c | 31 +++++++++---------------------- | ||
18 | 1 file changed, 9 insertions(+), 22 deletions(-) | ||
19 | |||
20 | diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c | ||
21 | index 6f9b366..fb75923 100644 | ||
22 | --- a/glib/gvariant-serialiser.c | ||
23 | +++ b/glib/gvariant-serialiser.c | ||
24 | @@ -1007,14 +1007,18 @@ gvs_tuple_get_child (GVariantSerialised value, | ||
25 | child.depth = value.depth + 1; | ||
26 | offset_size = gvs_get_offset_size (value.size); | ||
27 | |||
28 | + /* Ensure the size is set for fixed-sized children, or | ||
29 | + * g_variant_serialised_check() will fail, even if we return | ||
30 | + * (child.data == NULL) to indicate an error. */ | ||
31 | + if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_FIXED) | ||
32 | + g_variant_type_info_query (child.type_info, NULL, &child.size); | ||
33 | + | ||
34 | /* tuples are the only (potentially) fixed-sized containers, so the | ||
35 | * only ones that have to deal with the possibility of having %NULL | ||
36 | * data with a non-zero %size if errors occurred elsewhere. | ||
37 | */ | ||
38 | if G_UNLIKELY (value.data == NULL && value.size != 0) | ||
39 | { | ||
40 | - g_variant_type_info_query (child.type_info, NULL, &child.size); | ||
41 | - | ||
42 | /* this can only happen in fixed-sized tuples, | ||
43 | * so the child must also be fixed sized. | ||
44 | */ | ||
45 | @@ -1032,29 +1036,12 @@ gvs_tuple_get_child (GVariantSerialised value, | ||
46 | else | ||
47 | { | ||
48 | if (offset_size * (member_info->i + 1) > value.size) | ||
49 | - { | ||
50 | - /* if the child is fixed size, return its size. | ||
51 | - * if child is not fixed-sized, return size = 0. | ||
52 | - */ | ||
53 | - g_variant_type_info_query (child.type_info, NULL, &child.size); | ||
54 | - | ||
55 | - return child; | ||
56 | - } | ||
57 | + return child; | ||
58 | } | ||
59 | |||
60 | - gvs_tuple_get_member_bounds (value, index_, offset_size, &start, &end); | ||
61 | - | ||
62 | /* The child should not extend into the offset table. */ | ||
63 | - if (index_ != g_variant_type_info_n_members (value.type_info) - 1) | ||
64 | - { | ||
65 | - GVariantSerialised last_child; | ||
66 | - last_child = gvs_tuple_get_child (value, | ||
67 | - g_variant_type_info_n_members (value.type_info) - 1); | ||
68 | - last_end = last_child.data + last_child.size - value.data; | ||
69 | - g_variant_type_info_unref (last_child.type_info); | ||
70 | - } | ||
71 | - else | ||
72 | - last_end = end; | ||
73 | + gvs_tuple_get_member_bounds (value, index_, offset_size, &start, &end); | ||
74 | + gvs_tuple_get_member_bounds (value, g_variant_type_info_n_members (value.type_info) - 1, offset_size, NULL, &last_end); | ||
75 | |||
76 | if (start < end && end <= value.size && end <= last_end) | ||
77 | { | ||
78 | -- | ||
79 | 2.24.4 | ||
80 | |||