From be8834340a2d928ece82025463ae23dee2c333d0 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Thu, 4 Feb 2021 13:37:56 +0000 Subject: [PATCH 02/11] gio: Use g_memdup2() instead of g_memdup() in obvious places MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Convert all the call sites which use `g_memdup()`’s length argument trivially (for example, by passing a `sizeof()`), so that they use `g_memdup2()` instead. In almost all of these cases the use of `g_memdup()` would not have caused problems, but it will soon be deprecated, so best port away from it. Signed-off-by: Philip Withnall Helps: #2319 Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz] CVE: CVE-2021-27219 Signed-off-by: Neetika Singh Signed-off-by: Ranjitsinh Rathod --- gio/gdbusconnection.c | 5 +++-- gio/gdbusinterfaceskeleton.c | 3 ++- gio/gfile.c | 7 ++++--- gio/gsettingsschema.c | 5 +++-- gio/gwin32registrykey.c | 8 +++++--- gio/tests/async-close-output-stream.c | 6 ++++-- gio/tests/gdbus-export.c | 5 +++-- gio/win32/gwinhttpfile.c | 9 +++++---- 8 files changed, 29 insertions(+), 19 deletions(-) --- a/gio/gdbusconnection.c +++ b/gio/gdbusconnection.c @@ -110,6 +110,7 @@ #include "gasyncinitable.h" #include "giostream.h" #include "gasyncresult.h" +#include "gstrfuncsprivate.h" #include "gtask.h" #include "gmarshal-internal.h" @@ -4007,7 +4008,7 @@ _g_dbus_interface_vtable_copy (const GDB /* Don't waste memory by copying padding - remember to update this * when changing struct _GDBusInterfaceVTable in gdbusconnection.h */ - return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer)); + return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer)); } static void @@ -4024,7 +4025,7 @@ _g_dbus_subtree_vtable_copy (const GDBus /* Don't waste memory by copying padding - remember to update this * when changing struct _GDBusSubtreeVTable in gdbusconnection.h */ - return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer)); + return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer)); } static void --- a/gio/gdbusinterfaceskeleton.c +++ b/gio/gdbusinterfaceskeleton.c @@ -28,6 +28,7 @@ #include "gdbusmethodinvocation.h" #include "gdbusconnection.h" #include "gmarshal-internal.h" +#include "gstrfuncsprivate.h" #include "gtask.h" #include "gioerror.h" @@ -701,7 +702,7 @@ add_connection_locked (GDBusInterfaceSke * properly before building the hooked_vtable, so we create it * once at the last minute. */ - interface_->priv->hooked_vtable = g_memdup (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable)); + interface_->priv->hooked_vtable = g_memdup2 (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable)); interface_->priv->hooked_vtable->method_call = skeleton_intercept_handle_method_call; } --- a/gio/gfile.c +++ b/gio/gfile.c @@ -60,6 +60,7 @@ #include "gasyncresult.h" #include "gioerror.h" #include "glibintl.h" +#include "gstrfuncsprivate.h" /** @@ -7854,7 +7855,7 @@ measure_disk_usage_progress (gboolean re g_main_context_invoke_full (g_task_get_context (task), g_task_get_priority (task), measure_disk_usage_invoke_progress, - g_memdup (&progress, sizeof progress), + g_memdup2 (&progress, sizeof progress), g_free); } @@ -7872,7 +7873,7 @@ measure_disk_usage_thread (GTask data->progress_callback ? measure_disk_usage_progress : NULL, task, &result.disk_usage, &result.num_dirs, &result.num_files, &error)) - g_task_return_pointer (task, g_memdup (&result, sizeof result), g_free); + g_task_return_pointer (task, g_memdup2 (&result, sizeof result), g_free); else g_task_return_error (task, error); } @@ -7896,7 +7897,7 @@ g_file_real_measure_disk_usage_async (GF task = g_task_new (file, cancellable, callback, user_data); g_task_set_source_tag (task, g_file_real_measure_disk_usage_async); - g_task_set_task_data (task, g_memdup (&data, sizeof data), g_free); + g_task_set_task_data (task, g_memdup2 (&data, sizeof data), g_free); g_task_set_priority (task, io_priority); g_task_run_in_thread (task, measure_disk_usage_thread); --- a/gio/gsettingsschema.c +++ b/gio/gsettingsschema.c @@ -20,6 +20,7 @@ #include "gsettingsschema-internal.h" #include "gsettings.h" +#include "gstrfuncsprivate.h" #include "gvdb/gvdb-reader.h" #include "strinfo.c" @@ -1067,9 +1068,9 @@ g_settings_schema_list_children (GSettin if (g_str_has_suffix (key, "/")) { - gint length = strlen (key); + gsize length = strlen (key); - strv[j] = g_memdup (key, length); + strv[j] = g_memdup2 (key, length); strv[j][length - 1] = '\0'; j++; } --- a/gio/gwin32registrykey.c +++ b/gio/gwin32registrykey.c @@ -28,6 +28,8 @@ #include #include +#include "gstrfuncsprivate.h" + #ifndef _WDMDDK_ typedef enum _KEY_INFORMATION_CLASS { KeyBasicInformation, @@ -247,7 +249,7 @@ g_win32_registry_value_iter_copy (const new_iter->value_name_size = iter->value_name_size; if (iter->value_data != NULL) - new_iter->value_data = g_memdup (iter->value_data, iter->value_data_size); + new_iter->value_data = g_memdup2 (iter->value_data, iter->value_data_size); new_iter->value_data_size = iter->value_data_size; @@ -268,8 +270,8 @@ g_win32_registry_value_iter_copy (const new_iter->value_data_expanded_charsize = iter->value_data_expanded_charsize; if (iter->value_data_expanded_u8 != NULL) - new_iter->value_data_expanded_u8 = g_memdup (iter->value_data_expanded_u8, - iter->value_data_expanded_charsize); + new_iter->value_data_expanded_u8 = g_memdup2 (iter->value_data_expanded_u8, + iter->value_data_expanded_charsize); new_iter->value_data_expanded_u8_size = iter->value_data_expanded_charsize; --- a/gio/tests/async-close-output-stream.c +++ b/gio/tests/async-close-output-stream.c @@ -24,6 +24,8 @@ #include #include +#include "gstrfuncsprivate.h" + #define DATA_TO_WRITE "Hello world\n" typedef struct @@ -147,9 +149,9 @@ prepare_data (SetupData *data, data->expected_size = g_memory_output_stream_get_data_size (G_MEMORY_OUTPUT_STREAM (data->data_stream)); - g_assert_cmpint (data->expected_size, >, 0); + g_assert_cmpuint (data->expected_size, >, 0); - data->expected_output = g_memdup (written, (guint)data->expected_size); + data->expected_output = g_memdup2 (written, data->expected_size); /* then recreate the streams and prepare them for the asynchronous close */ destroy_streams (data); --- a/gio/tests/gdbus-export.c +++ b/gio/tests/gdbus-export.c @@ -23,6 +23,7 @@ #include #include "gdbus-tests.h" +#include "gstrfuncsprivate.h" /* all tests rely on a shared mainloop */ static GMainLoop *loop = NULL; @@ -671,7 +672,7 @@ subtree_introspect (GDBusConnection g_assert_not_reached (); } - return g_memdup (interfaces, 2 * sizeof (void *)); + return g_memdup2 (interfaces, 2 * sizeof (void *)); } static const GDBusInterfaceVTable * @@ -727,7 +728,7 @@ dynamic_subtree_introspect (GDBusConnect { const GDBusInterfaceInfo *interfaces[2] = { &dyna_interface_info, NULL }; - return g_memdup (interfaces, 2 * sizeof (void *)); + return g_memdup2 (interfaces, 2 * sizeof (void *)); } static const GDBusInterfaceVTable * --- a/gio/win32/gwinhttpfile.c +++ b/gio/win32/gwinhttpfile.c @@ -29,6 +29,7 @@ #include "gio/gfile.h" #include "gio/gfileattribute.h" #include "gio/gfileinfo.h" +#include "gstrfuncsprivate.h" #include "gwinhttpfile.h" #include "gwinhttpfileinputstream.h" #include "gwinhttpfileoutputstream.h" @@ -393,10 +394,10 @@ child = g_object_new (G_TYPE_WINHTTP_FILE, NULL); child->vfs = winhttp_file->vfs; child->url = winhttp_file->url; - child->url.lpszScheme = g_memdup (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2); - child->url.lpszHostName = g_memdup (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2); - child->url.lpszUserName = g_memdup (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2); - child->url.lpszPassword = g_memdup (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2); + child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2); + child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2); + child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2); + child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2); child->url.lpszUrlPath = wnew_path; child->url.dwUrlPathLength = wcslen (wnew_path); child->url.lpszExtraInfo = NULL;