1 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch
new file mode 100644
index 0000000000..93fbe5c7fe
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch
@@ -0,0 +1,90 @@
+From 48050c42c73c28b0c001d63d11dffac7e116847b Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:46:49 +0100
+Subject: [PATCH 06/12] pretty: fix integer overflow in wrapping format
+The `%w(width,indent1,indent2)` formatting directive can be used to
+rewrap text to a specific width and is designed after git-shortlog(1)'s
+`-w` parameter. While the three parameters are all stored as `size_t`
+internally, `strbuf_add_wrapped_text()` accepts integers as input. As a
+result, the casted integers may overflow. As these now-negative integers
+are later on passed to `strbuf_addchars()`, we will ultimately run into
+implementation-defined behaviour due to casting a negative number back
+to `size_t` again. On my platform, this results in trying to allocate
+9000 petabyte of memory.
+Fix this overflow by using `cast_size_t_to_int()` so that we reject
+inputs that cannot be represented as an integer.
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+Upstream-Status: Backport [https://github.com/git/git/commit/48050c42c73c28b0c001d63d11dffac7e116847b]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ git-compat-util.h             |  8 ++++++++
+ pretty.c                      |  4 +++-
+ t/t4205-log-pretty-formats.sh | 12 ++++++++++++
+ 3 files changed, 23 insertions(+), 1 deletion(-)
+diff --git a/git-compat-util.h b/git-compat-util.h
+index a1ecfd3..b0f3890 100644
+--- a/git-compat-util.h
+++ b/git-compat-util.h
+@@ -854,6 +854,14 @@ static inline size_t st_sub(size_t a, size_t b)
+        return a - b;
+ }
+ 
+static inline int cast_size_t_to_int(size_t a)
+{
+       if (a > INT_MAX)
+               die("number too large to represent as int on this platform: %"PRIuMAX,
+                   (uintmax_t)a);
+       return (int)a;
+}
+
+ #ifdef HAVE_ALLOCA_H
+ # include <alloca.h>
+ # define xalloca(size)      (alloca(size))
+diff --git a/pretty.c b/pretty.c
+index 195d005..ff9fc97 100644
+--- a/pretty.c
+++ b/pretty.c
+@@ -898,7 +898,9 @@ static void strbuf_wrap(struct strbuf *sb, size_t pos,
+        if (pos)
+                strbuf_add(&tmp, sb->buf, pos);
+        strbuf_add_wrapped_text(&tmp, sb->buf + pos,
+-                               (int) indent1, (int) indent2, (int) width);
+                               cast_size_t_to_int(indent1),
+                               cast_size_t_to_int(indent2),
+                               cast_size_t_to_int(width));
+        strbuf_swap(&tmp, sb);
+        strbuf_release(&tmp);
+ }
+diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
+index fa1bc2b..23ac508 100755
+--- a/t/t4205-log-pretty-formats.sh
+++ b/t/t4205-log-pretty-formats.sh
+@@ -808,6 +808,18 @@ test_expect_success 'log --pretty with magical wrapping directives' '
+        test_cmp expect actual
+ '
+ 
+test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping directive' '
+       cat >expect <<-EOF &&
+       fatal: number too large to represent as int on this platform: 2147483649
+       EOF
+       test_must_fail git log -1 --pretty="format:%w(2147483649,1,1)%d" 2>error &&
+       test_cmp expect error &&
+       test_must_fail git log -1 --pretty="format:%w(1,2147483649,1)%d" 2>error &&
+       test_cmp expect error &&
+       test_must_fail git log -1 --pretty="format:%w(1,1,2147483649)%d" 2>error &&
+       test_cmp expect error
+'
+
+ test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
+        # We only assert that this command does not crash. This needs to be
+        # executed with the address sanitizer to demonstrate failure.
+-- 
+2.25.1

diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch new file mode 100644 index 0000000000..93fbe5c7fe --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch
@@ -0,0 +1,90 @@
	1	From 48050c42c73c28b0c001d63d11dffac7e116847b Mon Sep 17 00:00:00 2001
	2	From: Patrick Steinhardt <ps@pks.im>
	3	Date: Thu, 1 Dec 2022 15:46:49 +0100
	4	Subject: [PATCH 06/12] pretty: fix integer overflow in wrapping format
	5
	6	The `%w(width,indent1,indent2)` formatting directive can be used to
	7	rewrap text to a specific width and is designed after git-shortlog(1)'s
	8	`-w` parameter. While the three parameters are all stored as `size_t`
	9	internally, `strbuf_add_wrapped_text()` accepts integers as input. As a
	10	result, the casted integers may overflow. As these now-negative integers
	11	are later on passed to `strbuf_addchars()`, we will ultimately run into
	12	implementation-defined behaviour due to casting a negative number back
	13	to `size_t` again. On my platform, this results in trying to allocate
	14	9000 petabyte of memory.
	15
	16	Fix this overflow by using `cast_size_t_to_int()` so that we reject
	17	inputs that cannot be represented as an integer.
	18
	19	Signed-off-by: Patrick Steinhardt <ps@pks.im>
	20	Signed-off-by: Junio C Hamano <gitster@pobox.com>
	21
	22	Upstream-Status: Backport [https://github.com/git/git/commit/48050c42c73c28b0c001d63d11dffac7e116847b]
	23	CVE: CVE-2022-41903
	24	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	25	---
	26	git-compat-util.h \| 8 ++++++++
	27	pretty.c \| 4 +++-
	28	t/t4205-log-pretty-formats.sh \| 12 ++++++++++++
	29	3 files changed, 23 insertions(+), 1 deletion(-)
	30
	31	diff --git a/git-compat-util.h b/git-compat-util.h
	32	index a1ecfd3..b0f3890 100644
	33	--- a/git-compat-util.h
	34	+++ b/git-compat-util.h
	35	@@ -854,6 +854,14 @@ static inline size_t st_sub(size_t a, size_t b)
	36	return a - b;
	37	}
	38
	39	+static inline int cast_size_t_to_int(size_t a)
	40	+{
	41	+ if (a > INT_MAX)
	42	+ die("number too large to represent as int on this platform: %"PRIuMAX,
	43	+ (uintmax_t)a);
	44	+ return (int)a;
	45	+}
	46	+
	47	#ifdef HAVE_ALLOCA_H
	48	# include <alloca.h>
	49	# define xalloca(size) (alloca(size))
	50	diff --git a/pretty.c b/pretty.c
	51	index 195d005..ff9fc97 100644
	52	--- a/pretty.c
	53	+++ b/pretty.c
	54	@@ -898,7 +898,9 @@ static void strbuf_wrap(struct strbuf *sb, size_t pos,
	55	if (pos)
	56	strbuf_add(&tmp, sb->buf, pos);
	57	strbuf_add_wrapped_text(&tmp, sb->buf + pos,
	58	- (int) indent1, (int) indent2, (int) width);
	59	+ cast_size_t_to_int(indent1),
	60	+ cast_size_t_to_int(indent2),
	61	+ cast_size_t_to_int(width));
	62	strbuf_swap(&tmp, sb);
	63	strbuf_release(&tmp);
	64	}
	65	diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
	66	index fa1bc2b..23ac508 100755
	67	--- a/t/t4205-log-pretty-formats.sh
	68	+++ b/t/t4205-log-pretty-formats.sh
	69	@@ -808,6 +808,18 @@ test_expect_success 'log --pretty with magical wrapping directives' '
	70	test_cmp expect actual
	71	'
	72
	73	+test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping directive' '
	74	+ cat >expect <<-EOF &&
	75	+ fatal: number too large to represent as int on this platform: 2147483649
	76	+ EOF
	77	+ test_must_fail git log -1 --pretty="format:%w(2147483649,1,1)%d" 2>error &&
	78	+ test_cmp expect error &&
	79	+ test_must_fail git log -1 --pretty="format:%w(1,2147483649,1)%d" 2>error &&
	80	+ test_cmp expect error &&
	81	+ test_must_fail git log -1 --pretty="format:%w(1,1,2147483649)%d" 2>error &&
	82	+ test_cmp expect error
	83	+'
	84	+
	85	test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
	86	# We only assert that this command does not crash. This needs to be
	87	# executed with the address sanitizer to demonstrate failure.
	88	--
	89	2.25.1
	90