gnu/packages/patches/glib-CVE-2021-27219-06.patch

   1 From f9ee2275cbc312c0b4cdbc338a4fbb76eb36fb9a Mon Sep 17 00:00:00 2001
   2 From: Philip Withnall <pwithnall@endlessos.org>
   3 Date: Thu, 4 Feb 2021 13:49:00 +0000
   4 Subject: [PATCH 06/11] gdatainputstream: Handle stop_chars_len internally as
   5  gsize
   6
   7 Previously it was handled as a `gssize`, which meant that if the
   8 `stop_chars` string was longer than `G_MAXSSIZE` there would be an
   9 overflow.
  10
  11 Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
  12 Helps: #2319
  13 ---
  14  gio/gdatainputstream.c | 25 +++++++++++++++++--------
  15  1 file changed, 17 insertions(+), 8 deletions(-)
  16
  17 diff --git a/gio/gdatainputstream.c b/gio/gdatainputstream.c
  18 index 2e7750cb5..2cdcbda19 100644
  19 --- a/gio/gdatainputstream.c
  20 +++ b/gio/gdatainputstream.c
  21 @@ -27,6 +27,7 @@
  22  #include "gioenumtypes.h"
  23  #include "gioerror.h"
  24  #include "glibintl.h"
  25 +#include "gstrfuncsprivate.h"
  26
  27  #include <string.h>
  28
  29 @@ -856,7 +857,7 @@ static gssize
  30  scan_for_chars (GDataInputStream *stream,
  31                 gsize            *checked_out,
  32                 const char       *stop_chars,
  33 -                gssize            stop_chars_len)
  34 +                gsize             stop_chars_len)
  35  {
  36    GBufferedInputStream *bstream;
  37    const char *buffer;
  38 @@ -952,7 +953,7 @@ typedef struct
  39    gsize checked;
  40
  41    gchar *stop_chars;
  42 -  gssize stop_chars_len;
  43 +  gsize stop_chars_len;
  44    gsize length;
  45  } GDataInputStreamReadData;
  46
  47 @@ -1078,12 +1079,17 @@ g_data_input_stream_read_async (GDataInputStream    *stream,
  48  {
  49    GDataInputStreamReadData *data;
  50    GTask *task;
  51 +  gsize stop_chars_len_unsigned;
  52
  53    data = g_slice_new0 (GDataInputStreamReadData);
  54 -  if (stop_chars_len == -1)
  55 -    stop_chars_len = strlen (stop_chars);
  56 -  data->stop_chars = g_memdup (stop_chars, stop_chars_len);
  57 -  data->stop_chars_len = stop_chars_len;
  58 +
  59 +  if (stop_chars_len < 0)
  60 +    stop_chars_len_unsigned = strlen (stop_chars);
  61 +  else
  62 +    stop_chars_len_unsigned = (gsize) stop_chars_len;
  63 +
  64 +  data->stop_chars = g_memdup2 (stop_chars, stop_chars_len_unsigned);
  65 +  data->stop_chars_len = stop_chars_len_unsigned;
  66    data->last_saw_cr = FALSE;
  67
  68    task = g_task_new (stream, cancellable, callback, user_data);
  69 @@ -1338,17 +1344,20 @@ g_data_input_stream_read_upto (GDataInputStream  *stream,
  70    gssize found_pos;
  71    gssize res;
  72    char *data_until;
  73 +  gsize stop_chars_len_unsigned;
  74
  75    g_return_val_if_fail (G_IS_DATA_INPUT_STREAM (stream), NULL);
  76
  77    if (stop_chars_len < 0)
  78 -    stop_chars_len = strlen (stop_chars);
  79 +    stop_chars_len_unsigned = strlen (stop_chars);
  80 +  else
  81 +    stop_chars_len_unsigned = (gsize) stop_chars_len;
  82
  83    bstream = G_BUFFERED_INPUT_STREAM (stream);
  84
  85    checked = 0;
  86
  87 -  while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len)) == -1)
  88 +  while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len_unsigned)) == -1)
  89      {
  90        if (g_buffered_input_stream_get_available (bstream) ==
  91            g_buffered_input_stream_get_buffer_size (bstream))
  92 --
  93 2.30.1
  94