From 355db9f7c3167713556ad34f198e5e7a96932c0d Mon Sep 17 00:00:00 2001 From: "mykola.salomatin" Date: Tue, 2 Mar 2021 18:14:06 +0200 Subject: [MTX-3853] Fix integer overflows in libfastjson --- .../libfastjson/libfastjson/CVE-2020-12762.patch | 80 ++++++++++++++++++++++ .../libfastjson/libfastjson_%.bbappend | 5 ++ 2 files changed, 85 insertions(+) create mode 100644 recipes-extended/libfastjson/libfastjson/CVE-2020-12762.patch create mode 100644 recipes-extended/libfastjson/libfastjson_%.bbappend diff --git a/recipes-extended/libfastjson/libfastjson/CVE-2020-12762.patch b/recipes-extended/libfastjson/libfastjson/CVE-2020-12762.patch new file mode 100644 index 0000000..84e8206 --- /dev/null +++ b/recipes-extended/libfastjson/libfastjson/CVE-2020-12762.patch @@ -0,0 +1,80 @@ +From 73d5726b116e89d1e756419ceea5ed071d211642 Mon Sep 17 00:00:00 2001 +From: "mykola.salomatin" +Date: Tue, 2 Mar 2021 13:22:21 +0200 +Subject: [PATCH] Fix integer overflows + +This commit is a backport of the following commit in json-c: + * d07b91014986900a3a75f306d302e13e005e9d67 + +In component json-c, several files were affected: + * linkhash.c + * arraylist.c + * printbuf.c + +In the current version of the libfastjson (0.99.8): + * linkhash.c was removed, + * arraylist.c doesn't have a necessary function for patching, + * printbuf.c is patched manually in current patch. + +--- +CVE: CVE-2020-12762 +Signed-off-by: Mykola Salomatin + + printbuf.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/printbuf.c b/printbuf.c +index cc0f0d2..97e3ddd 100644 +--- a/printbuf.c ++++ b/printbuf.c +@@ -13,6 +13,7 @@ + + #include "config.h" + ++#include + #include + #include + #include +@@ -68,9 +69,16 @@ static int printbuf_extend(struct printbuf *p, int min_size) + if (p->size >= min_size) + return 0; + +- new_size = p->size * 2; +- if (new_size < min_size + 8) +- new_size = min_size + 8; ++ /* Prevent signed integer overflows with large buffers. */ ++ if (min_size > INT_MAX - 8) ++ return -1; ++ if (p->size > INT_MAX / 2) ++ new_size = min_size + 8; ++ else { ++ new_size = p->size * 2; ++ if (new_size < min_size + 8) ++ new_size = min_size + 8; ++ } + #ifdef PRINTBUF_DEBUG + MC_DEBUG("printbuf_memappend: realloc " + "bpos=%d min_size=%d old_size=%d new_size=%d\n", +@@ -85,6 +93,9 @@ static int printbuf_extend(struct printbuf *p, int min_size) + + int printbuf_memappend(struct printbuf *p, const char *buf, int size) + { ++ /* Prevent signed integer overflows with large buffers. */ ++ if (size > INT_MAX - p->bpos - 1) ++ return -1; + if (p->size <= p->bpos + size + 1) { + if (printbuf_extend(p, p->bpos + size + 1) < 0) + return -1; +@@ -136,6 +147,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len) + + if (offset == -1) + offset = pb->bpos; ++ /* Prevent signed integer overflows with large buffers. */ ++ if (len > INT_MAX - offset) ++ return -1; + size_needed = offset + len; + if (pb->size < size_needed) + { +-- +2.7.4 + diff --git a/recipes-extended/libfastjson/libfastjson_%.bbappend b/recipes-extended/libfastjson/libfastjson_%.bbappend new file mode 100644 index 0000000..103c92e --- /dev/null +++ b/recipes-extended/libfastjson/libfastjson_%.bbappend @@ -0,0 +1,5 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +PR.=".mlinux1" + +SRC_URI += "file://CVE-2020-12762.patch" -- cgit v1.2.3