1 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
new file mode 100644
index 0000000000..8f2c2ade0e
--- /dev/null
+++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
@@ -0,0 +1,50 @@
+From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001
+From: Akira TAGOH <akira@tagoh.org>
+Date: Thu, 17 Feb 2022 17:30:12 +0900
+Subject: [PATCH] Fix the stack buffer overflow issue
+strlen() could returns 0. Without a conditional check for len,
+accessing S_ pointer with len - 1 may causes a stack buffer overflow.
+AddressSanitizer reports this like:
+==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0
+43b30 sp 0x7ffdce043b28
+READ of size 1 at 0x7ffdce043c1f thread T0
+    #0 0x403546 in main ../bin/fribidi-main.c:393
+    #1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f)
+    #2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648)
+    #3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4)
+Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame
+    #0 0x4022bf in main ../bin/fribidi-main.c:193
+  This frame has 5 object(s):
+    [32, 36) 'option_index' (line 233)
+    [48, 52) 'base' (line 386)
+    [64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable
+    [65328, 130328) 'outstring' (line 385)
+    [130592, 390592) 'logical' (line 384)
+This fixes https://github.com/fribidi/fribidi/issues/181
+CVE: CVE-2022-25308
+Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+---
+ bin/fribidi-main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c
+index 3cf9fe1..3ae4fb6 100644
+--- a/bin/fribidi-main.c
+++ b/bin/fribidi-main.c
+@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS
+            S_[sizeof (S_) - 1] = 0;
+            len = strlen (S_);
+            /* chop */
+-           if (S_[len - 1] == '\n')
+           if (len > 0 && S_[len - 1] == '\n')
+              {
+                len--;
+                S_[len] = '\0';

diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch new file mode 100644 index 0000000000..8f2c2ade0e --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
@@ -0,0 +1,50 @@
	1	From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001
	2	From: Akira TAGOH <akira@tagoh.org>
	3	Date: Thu, 17 Feb 2022 17:30:12 +0900
	4	Subject: [PATCH] Fix the stack buffer overflow issue
	5
	6	strlen() could returns 0. Without a conditional check for len,
	7	accessing S_ pointer with len - 1 may causes a stack buffer overflow.
	8
	9	AddressSanitizer reports this like:
	10	==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0
	11	43b30 sp 0x7ffdce043b28
	12	READ of size 1 at 0x7ffdce043c1f thread T0
	13	#0 0x403546 in main ../bin/fribidi-main.c:393
	14	#1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f)
	15	#2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648)
	16	#3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4)
	17
	18	Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame
	19	#0 0x4022bf in main ../bin/fribidi-main.c:193
	20
	21	This frame has 5 object(s):
	22	[32, 36) 'option_index' (line 233)
	23	[48, 52) 'base' (line 386)
	24	[64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable
	25	[65328, 130328) 'outstring' (line 385)
	26	[130592, 390592) 'logical' (line 384)
	27
	28	This fixes https://github.com/fribidi/fribidi/issues/181
	29
	30	CVE: CVE-2022-25308
	31	Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1]
	32	Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
	33
	34	---
	35	bin/fribidi-main.c \| 2 +-
	36	1 file changed, 1 insertion(+), 1 deletion(-)
	37
	38	diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c
	39	index 3cf9fe1..3ae4fb6 100644
	40	--- a/bin/fribidi-main.c
	41	+++ b/bin/fribidi-main.c
	42	@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS
	43	S_[sizeof (S_) - 1] = 0;
	44	len = strlen (S_);
	45	/* chop */
	46	- if (S_[len - 1] == '\n')
	47	+ if (len > 0 && S_[len - 1] == '\n')
	48	{
	49	len--;
	50	S_[len] = '\0';