fix CVE-2024-40897
This commit is contained in:
wangjiang
parent
e377cea670
commit
aa898f20ed
123
backport-0001-CVE-2024-40897.patch
Normal file
123
backport-0001-CVE-2024-40897.patch
Normal file
@ -0,0 +1,123 @@
|
||||
From fb7db9ae3e8ac271651d1884a3611d30bac04a98 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||
Date: Tue, 9 Jul 2024 12:11:37 +0300
|
||||
Subject: [PATCH] Use vasprintf() if available for error messages and otherwise
|
||||
vsnprintf()
|
||||
|
||||
vasprintf() is a GNU/BSD extension and would allocate as much memory as required
|
||||
on the heap, similar to g_strdup_printf(). It's ridiculous that such a function
|
||||
is still not provided as part of standard C.
|
||||
|
||||
If it's not available, use vsnprintf() to at least avoid stack/heap buffer
|
||||
overflows, which can lead to arbitrary code execution.
|
||||
|
||||
Thanks to Noriko Totsuka for reporting.
|
||||
|
||||
Fixes JVN#02030803 / JPCERT#92912620 / CVE-2024-40897
|
||||
Fixes #69
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/orc/-/merge_requests/191>
|
||||
---
|
||||
meson.build | 1 +
|
||||
orc/orccompiler.c | 6 +++++-
|
||||
orc/orcparse.c | 28 +++++++++++++++++++++++++---
|
||||
3 files changed, 31 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/meson.build b/meson.build
|
||||
index 4054c1d..d22c5e7 100644
|
||||
--- a/meson.build
|
||||
+++ b/meson.build
|
||||
@@ -120,6 +120,7 @@ int main() {
|
||||
'''
|
||||
cdata.set('HAVE_MONOTONIC_CLOCK', cc.compiles(monotonic_test))
|
||||
cdata.set('HAVE_GETTIMEOFDAY', cc.has_function('gettimeofday'))
|
||||
+cdata.set('HAVE_VASPRINTF', cc.has_function('vasprintf'))
|
||||
cdata.set('HAVE_POSIX_MEMALIGN', cc.has_function('posix_memalign', prefix : '#include <stdlib.h>'))
|
||||
cdata.set('HAVE_MMAP', cc.has_function('mmap'))
|
||||
|
||||
diff --git a/orc/orccompiler.c b/orc/orccompiler.c
|
||||
index 7f7b4d4..a1c9699 100644
|
||||
--- a/orc/orccompiler.c
|
||||
+++ b/orc/orccompiler.c
|
||||
@@ -1310,8 +1310,12 @@ orc_compiler_error_valist (OrcCompiler *compiler, const char *fmt,
|
||||
|
||||
if (compiler->error_msg) return;
|
||||
|
||||
+#ifdef HAVE_VASPRINTF
|
||||
+ vasprintf (&s, fmt, args);
|
||||
+#else
|
||||
s = malloc (ORC_COMPILER_ERROR_BUFFER_SIZE);
|
||||
- vsprintf (s, fmt, args);
|
||||
+ vsnprintf (s, ORC_COMPILER_ERROR_BUFFER_SIZE, fmt, args);
|
||||
+#endif
|
||||
compiler->error_msg = s;
|
||||
compiler->error = TRUE;
|
||||
compiler->result = ORC_COMPILE_RESULT_UNKNOWN_COMPILE;
|
||||
diff --git a/orc/orcparse.c b/orc/orcparse.c
|
||||
index f46b0be..f90b5ff 100644
|
||||
--- a/orc/orcparse.c
|
||||
+++ b/orc/orcparse.c
|
||||
@@ -16,6 +16,7 @@
|
||||
* @short_description: Parse Orc source code
|
||||
*/
|
||||
|
||||
+#define ORC_ERROR_LENGTH 256
|
||||
|
||||
typedef struct _OrcParser OrcParser;
|
||||
struct _OrcParser {
|
||||
@@ -401,11 +402,19 @@ opcode_arg_size (OrcStaticOpcode *opcode, int arg)
|
||||
static void
|
||||
orc_parse_log_valist (OrcParser *parser, const char *format, va_list args)
|
||||
{
|
||||
- char s[100];
|
||||
int len;
|
||||
|
||||
if (parser->error_program != parser->program) {
|
||||
- sprintf(s, "In function %s:\n", parser->program->name);
|
||||
+#ifdef HAVE_VASPRINTF
|
||||
+ char *s = NULL;
|
||||
+ asprintf (&s, "In function %s:\n", parser->program->name);
|
||||
+#elif defined(_UCRT)
|
||||
+ char s[100] = { '\0' };
|
||||
+ snprintf_s (s, 100, _TRUNCATE, "In function %s:\n", parser->program->name);
|
||||
+#else
|
||||
+ char s[100] = { '\0' };
|
||||
+ snprintf (s, sizeof (s), "In function %s:\n", parser->program->name);
|
||||
+#endif
|
||||
len = strlen(s);
|
||||
|
||||
if (parser->log_size + len + 1 >= parser->log_alloc) {
|
||||
@@ -416,9 +425,18 @@ orc_parse_log_valist (OrcParser *parser, const char *format, va_list args)
|
||||
strcpy (parser->log + parser->log_size, s);
|
||||
parser->log_size += len;
|
||||
parser->error_program = parser->program;
|
||||
+#ifdef HAVE_VASPRINTF
|
||||
+ free (s);
|
||||
+#endif
|
||||
}
|
||||
|
||||
- vsprintf(s, format, args);
|
||||
+#ifdef HAVE_VASPRINTF
|
||||
+ char *s;
|
||||
+ vasprintf (&s, format, args);
|
||||
+#else
|
||||
+ char s[ORC_ERROR_LENGTH] = { '\0' };
|
||||
+ vsnprintf (s, sizeof (s), format, args);
|
||||
+#endif
|
||||
len = strlen(s);
|
||||
|
||||
if (parser->log_size + len + 1 >= parser->log_alloc) {
|
||||
@@ -428,6 +446,10 @@ orc_parse_log_valist (OrcParser *parser, const char *format, va_list args)
|
||||
|
||||
strcpy (parser->log + parser->log_size, s);
|
||||
parser->log_size += len;
|
||||
+
|
||||
+#ifdef HAVE_VASPRINTF
|
||||
+ free (s);
|
||||
+#endif
|
||||
}
|
||||
|
||||
static void
|
||||
--
|
||||
2.43.0
|
||||
|
||||
55
backport-0002-CVE-2024-40897.patch
Normal file
55
backport-0002-CVE-2024-40897.patch
Normal file
@ -0,0 +1,55 @@
|
||||
From abd75edff9de9a06d0531b9db50963a0da42145c Mon Sep 17 00:00:00 2001
|
||||
From: "L. E. Segovia" <amy@centricular.com>
|
||||
Date: Tue, 9 Jul 2024 12:03:53 -0300
|
||||
Subject: [PATCH] orccompiler, orcparse: Use secure UCRT printing functions on
|
||||
Windows
|
||||
|
||||
See #69
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/orc/-/merge_requests/191>
|
||||
---
|
||||
orc/orccompiler.c | 5 ++++-
|
||||
orc/orcparse.c | 5 ++++-
|
||||
2 files changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/orc/orccompiler.c b/orc/orccompiler.c
|
||||
index a1c9699..8131b9c 100644
|
||||
--- a/orc/orccompiler.c
|
||||
+++ b/orc/orccompiler.c
|
||||
@@ -1306,12 +1306,15 @@ static void
|
||||
orc_compiler_error_valist (OrcCompiler *compiler, const char *fmt,
|
||||
va_list args)
|
||||
{
|
||||
- char *s;
|
||||
+ char *s = NULL;
|
||||
|
||||
if (compiler->error_msg) return;
|
||||
|
||||
#ifdef HAVE_VASPRINTF
|
||||
vasprintf (&s, fmt, args);
|
||||
+#elif defined(_UCRT)
|
||||
+ s = malloc (ORC_COMPILER_ERROR_BUFFER_SIZE);
|
||||
+ vsnprintf_s (s, ORC_COMPILER_ERROR_BUFFER_SIZE, _TRUNCATE, fmt, args);
|
||||
#else
|
||||
s = malloc (ORC_COMPILER_ERROR_BUFFER_SIZE);
|
||||
vsnprintf (s, ORC_COMPILER_ERROR_BUFFER_SIZE, fmt, args);
|
||||
diff --git a/orc/orcparse.c b/orc/orcparse.c
|
||||
index f90b5ff..e24f698 100644
|
||||
--- a/orc/orcparse.c
|
||||
+++ b/orc/orcparse.c
|
||||
@@ -431,8 +431,11 @@ orc_parse_log_valist (OrcParser *parser, const char *format, va_list args)
|
||||
}
|
||||
|
||||
#ifdef HAVE_VASPRINTF
|
||||
- char *s;
|
||||
+ char *s = NULL;
|
||||
vasprintf (&s, format, args);
|
||||
+#elif defined(_UCRT)
|
||||
+ char s[ORC_ERROR_LENGTH] = { '\0' };
|
||||
+ vsnprintf_s (s, ORC_ERROR_LENGTH, _TRUNCATE, format, args);
|
||||
#else
|
||||
char s[ORC_ERROR_LENGTH] = { '\0' };
|
||||
vsnprintf (s, sizeof (s), format, args);
|
||||
--
|
||||
2.43.0
|
||||
|
||||
10
orc.spec
10
orc.spec
@ -1,11 +1,14 @@
|
||||
Name: orc
|
||||
Version: 0.4.32
|
||||
Release: 2
|
||||
Release: 3
|
||||
Summary: The Oil Run-time Compiler
|
||||
License: BSD
|
||||
URL: http://cgit.freedesktop.org/gstreamer/orc/
|
||||
Source0: http://gstreamer.freedesktop.org/src/orc/%{name}-%{version}.tar.xz
|
||||
|
||||
Patch6000: backport-0001-CVE-2024-40897.patch
|
||||
Patch6001: backport-0002-CVE-2024-40897.patch
|
||||
|
||||
BuildRequires: gtk-doc libtool
|
||||
BuildRequires: meson >= 0.47.0
|
||||
|
||||
@ -80,7 +83,10 @@ The Orc compiler.
|
||||
%doc %{_datadir}/gtk-doc/html/orc/
|
||||
|
||||
%changelog
|
||||
* Tue Oct 25 2022 wangjiang <wangjiang37@h-partners.com> 0.4.32-2
|
||||
* Thu Aug 01 2024 wangjiang <wangjiang37@h-partners.com> - 0.4.32-3
|
||||
- fix CVE-2024-40897
|
||||
|
||||
* Tue Oct 25 2022 wangjiang <wangjiang37@h-partners.com> - 0.4.32-2
|
||||
- Rebuild for next release
|
||||
|
||||
* Thu Jan 28 2021 yuanxin <yuanxin24@huawei.com> - 0.4.32-1
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user