1 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-08.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-08.patch
new file mode 100644
index 0000000000..3de6a5ba6a
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-08.patch
@@ -0,0 +1,67 @@
+From 17d23e8a3812a5ca3dd6564e74d5250f22e5d76d Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:47:00 +0100
+Subject: [PATCH 08/12] utf8: fix returning negative string width
+The `utf8_strnwidth()` function calls `utf8_width()` in a loop and adds
+its returned width to the end result. `utf8_width()` can return `-1`
+though in case it reads a control character, which means that the
+computed string width is going to be wrong. In the worst case where
+there are more control characters than non-control characters, we may
+even return a negative string width.
+Fix this bug by treating control characters as having zero width.
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+Upstream-Status: Backport [https://github.com/git/git/commit/17d23e8a3812a5ca3dd6564e74d5250f22e5d76d]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ t/t4205-log-pretty-formats.sh | 6 ++++++
+ utf8.c                        | 8 ++++++--
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
+index 23ac508..261a6f0 100755
+--- a/t/t4205-log-pretty-formats.sh
+++ b/t/t4205-log-pretty-formats.sh
+@@ -820,6 +820,12 @@ test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping dire
+        test_cmp expect error
+ '
+ 
+test_expect_success 'log --pretty with padding and preceding control chars' '
+       printf "\20\20   0" >expect &&
+       git log -1 --pretty="format:%x10%x10%>|(4)%x30" >actual &&
+       test_cmp expect actual
+'
+
+ test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
+        # We only assert that this command does not crash. This needs to be
+        # executed with the address sanitizer to demonstrate failure.
+diff --git a/utf8.c b/utf8.c
+index a66984b..6632bd2 100644
+--- a/utf8.c
+++ b/utf8.c
+@@ -212,11 +212,15 @@ int utf8_strnwidth(const char *string, size_t len, int skip_ansi)
+        const char *orig = string;
+ 
+        while (string && string < orig + len) {
+-               int skip;
+               int glyph_width, skip;
+
+                while (skip_ansi &&
+                       (skip = display_mode_esc_sequence_len(string)) != 0)
+                        string += skip;
+-               width += utf8_width(&string, NULL);
+
+               glyph_width = utf8_width(&string, NULL);
+               if (glyph_width > 0)
+                       width += glyph_width;
+        }
+        return string ? width : len;
+ }
+-- 
+2.25.1

diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-08.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-08.patch new file mode 100644 index 0000000000..3de6a5ba6a --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-08.patch
@@ -0,0 +1,67 @@
	1	From 17d23e8a3812a5ca3dd6564e74d5250f22e5d76d Mon Sep 17 00:00:00 2001
	2	From: Patrick Steinhardt <ps@pks.im>
	3	Date: Thu, 1 Dec 2022 15:47:00 +0100
	4	Subject: [PATCH 08/12] utf8: fix returning negative string width
	5
	6	The `utf8_strnwidth()` function calls `utf8_width()` in a loop and adds
	7	its returned width to the end result. `utf8_width()` can return `-1`
	8	though in case it reads a control character, which means that the
	9	computed string width is going to be wrong. In the worst case where
	10	there are more control characters than non-control characters, we may
	11	even return a negative string width.
	12
	13	Fix this bug by treating control characters as having zero width.
	14
	15	Signed-off-by: Patrick Steinhardt <ps@pks.im>
	16	Signed-off-by: Junio C Hamano <gitster@pobox.com>
	17
	18	Upstream-Status: Backport [https://github.com/git/git/commit/17d23e8a3812a5ca3dd6564e74d5250f22e5d76d]
	19	CVE: CVE-2022-41903
	20	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	21	---
	22	t/t4205-log-pretty-formats.sh \| 6 ++++++
	23	utf8.c \| 8 ++++++--
	24	2 files changed, 12 insertions(+), 2 deletions(-)
	25
	26	diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
	27	index 23ac508..261a6f0 100755
	28	--- a/t/t4205-log-pretty-formats.sh
	29	+++ b/t/t4205-log-pretty-formats.sh
	30	@@ -820,6 +820,12 @@ test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping dire
	31	test_cmp expect error
	32	'
	33
	34	+test_expect_success 'log --pretty with padding and preceding control chars' '
	35	+ printf "\20\20 0" >expect &&
	36	+ git log -1 --pretty="format:%x10%x10%>\|(4)%x30" >actual &&
	37	+ test_cmp expect actual
	38	+'
	39	+
	40	test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
	41	# We only assert that this command does not crash. This needs to be
	42	# executed with the address sanitizer to demonstrate failure.
	43	diff --git a/utf8.c b/utf8.c
	44	index a66984b..6632bd2 100644
	45	--- a/utf8.c
	46	+++ b/utf8.c
	47	@@ -212,11 +212,15 @@ int utf8_strnwidth(const char *string, size_t len, int skip_ansi)
	48	const char *orig = string;
	49
	50	while (string && string < orig + len) {
	51	- int skip;
	52	+ int glyph_width, skip;
	53	+
	54	while (skip_ansi &&
	55	(skip = display_mode_esc_sequence_len(string)) != 0)
	56	string += skip;
	57	- width += utf8_width(&string, NULL);
	58	+
	59	+ glyph_width = utf8_width(&string, NULL);
	60	+ if (glyph_width > 0)
	61	+ width += glyph_width;
	62	}
	63	return string ? width : len;
	64	}
	65	--
	66	2.25.1
	67