diff options
Diffstat (limited to 'meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch')
-rw-r--r-- | meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch new file mode 100644 index 0000000000..8f2c2ade0e --- /dev/null +++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Akira TAGOH <akira@tagoh.org> | ||
3 | Date: Thu, 17 Feb 2022 17:30:12 +0900 | ||
4 | Subject: [PATCH] Fix the stack buffer overflow issue | ||
5 | |||
6 | strlen() could returns 0. Without a conditional check for len, | ||
7 | accessing S_ pointer with len - 1 may causes a stack buffer overflow. | ||
8 | |||
9 | AddressSanitizer reports this like: | ||
10 | ==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0 | ||
11 | 43b30 sp 0x7ffdce043b28 | ||
12 | READ of size 1 at 0x7ffdce043c1f thread T0 | ||
13 | #0 0x403546 in main ../bin/fribidi-main.c:393 | ||
14 | #1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f) | ||
15 | #2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648) | ||
16 | #3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4) | ||
17 | |||
18 | Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame | ||
19 | #0 0x4022bf in main ../bin/fribidi-main.c:193 | ||
20 | |||
21 | This frame has 5 object(s): | ||
22 | [32, 36) 'option_index' (line 233) | ||
23 | [48, 52) 'base' (line 386) | ||
24 | [64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable | ||
25 | [65328, 130328) 'outstring' (line 385) | ||
26 | [130592, 390592) 'logical' (line 384) | ||
27 | |||
28 | This fixes https://github.com/fribidi/fribidi/issues/181 | ||
29 | |||
30 | CVE: CVE-2022-25308 | ||
31 | Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1] | ||
32 | Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> | ||
33 | |||
34 | --- | ||
35 | bin/fribidi-main.c | 2 +- | ||
36 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
37 | |||
38 | diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c | ||
39 | index 3cf9fe1..3ae4fb6 100644 | ||
40 | --- a/bin/fribidi-main.c | ||
41 | +++ b/bin/fribidi-main.c | ||
42 | @@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS | ||
43 | S_[sizeof (S_) - 1] = 0; | ||
44 | len = strlen (S_); | ||
45 | /* chop */ | ||
46 | - if (S_[len - 1] == '\n') | ||
47 | + if (len > 0 && S_[len - 1] == '\n') | ||
48 | { | ||
49 | len--; | ||
50 | S_[len] = '\0'; | ||