|
|
@@ -0,0 +1,94 @@
|
|
|
+From fb7db9ae3e8ac271651d1884a3611d30bac04a98 Mon Sep 17 00:00:00 2001
|
|
|
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
|
|
+Date: Tue, 9 Jul 2024 12:11:37 +0300
|
|
|
+Subject: [PATCH] Use vasprintf() if available for error messages and otherwise
|
|
|
+ vsnprintf()
|
|
|
+
|
|
|
+vasprintf() is a GNU/BSD extension and would allocate as much memory as required
|
|
|
+on the heap, similar to g_strdup_printf(). It's ridiculous that such a function
|
|
|
+is still not provided as part of standard C.
|
|
|
+
|
|
|
+If it's not available, use vsnprintf() to at least avoid stack/heap buffer
|
|
|
+overflows, which can lead to arbitrary code execution.
|
|
|
+
|
|
|
+Thanks to Noriko Totsuka for reporting.
|
|
|
+
|
|
|
+Fixes JVN#02030803 / JPCERT#92912620 / CVE-2024-40897
|
|
|
+Fixes #69
|
|
|
+
|
|
|
+Part-of: <https://gitlab.freedesktop.org/gstreamer/orc/-/merge_requests/191>
|
|
|
+Upstream: https://gitlab.freedesktop.org/gstreamer/orc/-/commit/fb7db9ae3e8ac271651d1884a3611d30bac04a98
|
|
|
+CVE: CVE-2024-40897
|
|
|
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
|
|
|
+---
|
|
|
+ meson.build | 1 +
|
|
|
+ orc/orccompiler.c | 6 +++++-
|
|
|
+ orc/orcparse.c | 14 +++++++++++---
|
|
|
+ 3 files changed, 17 insertions(+), 4 deletions(-)
|
|
|
+
|
|
|
+diff --git a/meson.build b/meson.build
|
|
|
+index c7ba5d7d..fe8c6016 100644
|
|
|
+--- a/meson.build
|
|
|
++++ b/meson.build
|
|
|
+@@ -128,6 +128,7 @@ int main() {
|
|
|
+ '''
|
|
|
+ cdata.set('HAVE_MONOTONIC_CLOCK', cc.compiles(monotonic_test))
|
|
|
+ cdata.set('HAVE_GETTIMEOFDAY', cc.has_function('gettimeofday'))
|
|
|
++cdata.set('HAVE_VASPRINTF', cc.has_function('vasprintf'))
|
|
|
+ cdata.set('HAVE_POSIX_MEMALIGN', cc.has_function('posix_memalign', prefix : '#include <stdlib.h>'))
|
|
|
+ cdata.set('HAVE_MMAP', cc.has_function('mmap'))
|
|
|
+ cdata.set('HAVE_SYS_TIME_H', cc.has_header('sys/time.h'))
|
|
|
+diff --git a/orc/orccompiler.c b/orc/orccompiler.c
|
|
|
+index 1e24b8a3..d3394612 100644
|
|
|
+--- a/orc/orccompiler.c
|
|
|
++++ b/orc/orccompiler.c
|
|
|
+@@ -1332,8 +1332,12 @@ orc_compiler_error_valist (OrcCompiler *compiler, const char *fmt,
|
|
|
+
|
|
|
+ if (compiler->error_msg) return;
|
|
|
+
|
|
|
++#ifdef HAVE_VASPRINTF
|
|
|
++ vasprintf (&s, fmt, args);
|
|
|
++#else
|
|
|
+ s = malloc (ORC_COMPILER_ERROR_BUFFER_SIZE);
|
|
|
+- vsprintf (s, fmt, args);
|
|
|
++ vsnprintf (s, ORC_COMPILER_ERROR_BUFFER_SIZE, fmt, args);
|
|
|
++#endif
|
|
|
+ compiler->error_msg = s;
|
|
|
+ compiler->error = TRUE;
|
|
|
+ compiler->result = ORC_COMPILE_RESULT_UNKNOWN_COMPILE;
|
|
|
+diff --git a/orc/orcparse.c b/orc/orcparse.c
|
|
|
+index b0d67095..ae4f1b6b 100644
|
|
|
+--- a/orc/orcparse.c
|
|
|
++++ b/orc/orcparse.c
|
|
|
+@@ -424,17 +424,25 @@ orc_parse_get_error_where (OrcParser *parser)
|
|
|
+ static void
|
|
|
+ orc_parse_add_error_valist (OrcParser *parser, const char *format, va_list args)
|
|
|
+ {
|
|
|
+- char text[ORC_ERROR_LENGTH] = { '\0' };
|
|
|
+-
|
|
|
+ if (parser->error_program != parser->program) {
|
|
|
+ parser->error_program = parser->program;
|
|
|
+ }
|
|
|
+
|
|
|
+- vsprintf (text, format, args);
|
|
|
++#ifdef HAVE_VASPRINTF
|
|
|
++ char *text;
|
|
|
++ vasprintf (&text, format, args);
|
|
|
++#else
|
|
|
++ char text[ORC_ERROR_LENGTH] = { '\0' };
|
|
|
++ vsnprintf (text, sizeof (text), format, args);
|
|
|
++#endif
|
|
|
+
|
|
|
+ orc_vector_append (&parser->errors,
|
|
|
+ orc_parse_error_new (orc_parse_get_error_where (parser),
|
|
|
+ parser->line_number, -1, text));
|
|
|
++
|
|
|
++#ifdef HAVE_VASPRINTF
|
|
|
++ free (text);
|
|
|
++#endif
|
|
|
+ }
|
|
|
+
|
|
|
+ static void
|
|
|
+--
|
|
|
+GitLab
|
|
|
+
|
Thomas Perale