diff options
Diffstat (limited to 'meta/recipes-devtools/git/files/CVE-2022-41903-11.patch')
| -rw-r--r-- | meta/recipes-devtools/git/files/CVE-2022-41903-11.patch | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch new file mode 100644 index 0000000000..f339edfc8a --- /dev/null +++ b/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch | |||
| @@ -0,0 +1,90 @@ | |||
| 1 | From f930a2394303b902e2973f4308f96529f736b8bc Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Patrick Steinhardt <ps@pks.im> | ||
| 3 | Date: Thu, 1 Dec 2022 15:47:15 +0100 | ||
| 4 | Subject: [PATCH 11/12] utf8: refactor strbuf_utf8_replace to not rely on preallocated buffer | ||
| 5 | |||
| 6 | In `strbuf_utf8_replace`, we preallocate the destination buffer and then | ||
| 7 | use `memcpy` to copy bytes into it at computed offsets. This feels | ||
| 8 | rather fragile and is hard to understand at times. Refactor the code to | ||
| 9 | instead use `strbuf_add` and `strbuf_addstr` so that we can be sure that | ||
| 10 | there is no possibility to perform an out-of-bounds write. | ||
| 11 | |||
| 12 | Signed-off-by: Patrick Steinhardt <ps@pks.im> | ||
| 13 | Signed-off-by: Junio C Hamano <gitster@pobox.com> | ||
| 14 | |||
| 15 | Upstream-Status: Backport [https://github.com/git/git/commit/f930a2394303b902e2973f4308f96529f736b8bc] | ||
| 16 | CVE: CVE-2022-41903 | ||
| 17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 18 | --- | ||
| 19 | utf8.c | 34 +++++++++++++--------------------- | ||
| 20 | 1 file changed, 13 insertions(+), 21 deletions(-) | ||
| 21 | |||
| 22 | diff --git a/utf8.c b/utf8.c | ||
| 23 | index ec03e69..a13f5e3 100644 | ||
| 24 | --- a/utf8.c | ||
| 25 | +++ b/utf8.c | ||
| 26 | @@ -365,26 +365,20 @@ void strbuf_add_wrapped_bytes(struct strbuf *buf, const char *data, int len, | ||
| 27 | void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width, | ||
| 28 | const char *subst) | ||
| 29 | { | ||
| 30 | - struct strbuf sb_dst = STRBUF_INIT; | ||
| 31 | - char *src = sb_src->buf; | ||
| 32 | - char *end = src + sb_src->len; | ||
| 33 | - char *dst; | ||
| 34 | - int w = 0, subst_len = 0; | ||
| 35 | + const char *src = sb_src->buf, *end = sb_src->buf + sb_src->len; | ||
| 36 | + struct strbuf dst; | ||
| 37 | + int w = 0; | ||
| 38 | |||
| 39 | - if (subst) | ||
| 40 | - subst_len = strlen(subst); | ||
| 41 | - strbuf_grow(&sb_dst, sb_src->len + subst_len); | ||
| 42 | - dst = sb_dst.buf; | ||
| 43 | + strbuf_init(&dst, sb_src->len); | ||
| 44 | |||
| 45 | while (src < end) { | ||
| 46 | + const char *old; | ||
| 47 | int glyph_width; | ||
| 48 | - char *old; | ||
| 49 | size_t n; | ||
| 50 | |||
| 51 | while ((n = display_mode_esc_sequence_len(src))) { | ||
| 52 | - memcpy(dst, src, n); | ||
| 53 | + strbuf_add(&dst, src, n); | ||
| 54 | src += n; | ||
| 55 | - dst += n; | ||
| 56 | } | ||
| 57 | |||
| 58 | if (src >= end) | ||
| 59 | @@ -404,21 +398,19 @@ void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width, | ||
| 60 | |||
| 61 | if (glyph_width && w >= pos && w < pos + width) { | ||
| 62 | if (subst) { | ||
| 63 | - memcpy(dst, subst, subst_len); | ||
| 64 | - dst += subst_len; | ||
| 65 | + strbuf_addstr(&dst, subst); | ||
| 66 | subst = NULL; | ||
| 67 | } | ||
| 68 | - w += glyph_width; | ||
| 69 | - continue; | ||
| 70 | + } else { | ||
| 71 | + strbuf_add(&dst, old, src - old); | ||
| 72 | } | ||
| 73 | - memcpy(dst, old, src - old); | ||
| 74 | - dst += src - old; | ||
| 75 | + | ||
| 76 | w += glyph_width; | ||
| 77 | } | ||
| 78 | - strbuf_setlen(&sb_dst, dst - sb_dst.buf); | ||
| 79 | - strbuf_swap(sb_src, &sb_dst); | ||
| 80 | + | ||
| 81 | + strbuf_swap(sb_src, &dst); | ||
| 82 | out: | ||
| 83 | - strbuf_release(&sb_dst); | ||
| 84 | + strbuf_release(&dst); | ||
| 85 | } | ||
| 86 | |||
| 87 | /* | ||
| 88 | -- | ||
| 89 | 2.25.1 | ||
| 90 | |||