diff options
Diffstat (limited to 'meta/recipes-devtools/git/files/CVE-2022-41903-11.patch')
-rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-11.patch | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch new file mode 100644 index 0000000000..f339edfc8a --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch | |||
@@ -0,0 +1,90 @@ | |||
1 | From f930a2394303b902e2973f4308f96529f736b8bc Mon Sep 17 00:00:00 2001 | ||
2 | From: Patrick Steinhardt <ps@pks.im> | ||
3 | Date: Thu, 1 Dec 2022 15:47:15 +0100 | ||
4 | Subject: [PATCH 11/12] utf8: refactor strbuf_utf8_replace to not rely on preallocated buffer | ||
5 | |||
6 | In `strbuf_utf8_replace`, we preallocate the destination buffer and then | ||
7 | use `memcpy` to copy bytes into it at computed offsets. This feels | ||
8 | rather fragile and is hard to understand at times. Refactor the code to | ||
9 | instead use `strbuf_add` and `strbuf_addstr` so that we can be sure that | ||
10 | there is no possibility to perform an out-of-bounds write. | ||
11 | |||
12 | Signed-off-by: Patrick Steinhardt <ps@pks.im> | ||
13 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
14 | |||
15 | Upstream-Status: Backport [https://github.com/git/git/commit/f930a2394303b902e2973f4308f96529f736b8bc] | ||
16 | CVE: CVE-2022-41903 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | utf8.c | 34 +++++++++++++--------------------- | ||
20 | 1 file changed, 13 insertions(+), 21 deletions(-) | ||
21 | |||
22 | diff --git a/utf8.c b/utf8.c | ||
23 | index ec03e69..a13f5e3 100644 | ||
24 | --- a/utf8.c | ||
25 | +++ b/utf8.c | ||
26 | @@ -365,26 +365,20 @@ void strbuf_add_wrapped_bytes(struct strbuf *buf, const char *data, int len, | ||
27 | void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width, | ||
28 | const char *subst) | ||
29 | { | ||
30 | - struct strbuf sb_dst = STRBUF_INIT; | ||
31 | - char *src = sb_src->buf; | ||
32 | - char *end = src + sb_src->len; | ||
33 | - char *dst; | ||
34 | - int w = 0, subst_len = 0; | ||
35 | + const char *src = sb_src->buf, *end = sb_src->buf + sb_src->len; | ||
36 | + struct strbuf dst; | ||
37 | + int w = 0; | ||
38 | |||
39 | - if (subst) | ||
40 | - subst_len = strlen(subst); | ||
41 | - strbuf_grow(&sb_dst, sb_src->len + subst_len); | ||
42 | - dst = sb_dst.buf; | ||
43 | + strbuf_init(&dst, sb_src->len); | ||
44 | |||
45 | while (src < end) { | ||
46 | + const char *old; | ||
47 | int glyph_width; | ||
48 | - char *old; | ||
49 | size_t n; | ||
50 | |||
51 | while ((n = display_mode_esc_sequence_len(src))) { | ||
52 | - memcpy(dst, src, n); | ||
53 | + strbuf_add(&dst, src, n); | ||
54 | src += n; | ||
55 | - dst += n; | ||
56 | } | ||
57 | |||
58 | if (src >= end) | ||
59 | @@ -404,21 +398,19 @@ void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width, | ||
60 | |||
61 | if (glyph_width && w >= pos && w < pos + width) { | ||
62 | if (subst) { | ||
63 | - memcpy(dst, subst, subst_len); | ||
64 | - dst += subst_len; | ||
65 | + strbuf_addstr(&dst, subst); | ||
66 | subst = NULL; | ||
67 | } | ||
68 | - w += glyph_width; | ||
69 | - continue; | ||
70 | + } else { | ||
71 | + strbuf_add(&dst, old, src - old); | ||
72 | } | ||
73 | - memcpy(dst, old, src - old); | ||
74 | - dst += src - old; | ||
75 | + | ||
76 | w += glyph_width; | ||
77 | } | ||
78 | - strbuf_setlen(&sb_dst, dst - sb_dst.buf); | ||
79 | - strbuf_swap(sb_src, &sb_dst); | ||
80 | + | ||
81 | + strbuf_swap(sb_src, &dst); | ||
82 | out: | ||
83 | - strbuf_release(&sb_dst); | ||
84 | + strbuf_release(&dst); | ||
85 | } | ||
86 | |||
87 | /* | ||
88 | -- | ||
89 | 2.25.1 | ||
90 | |||