ALP-pool/uriparser
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 uriparser revision 40960d33d7fa9b612b1dbc30e6fe983b

Browse Source
This commit is contained in:
Adrian Schröter 2024-11-28 14:25:33 +01:00
parent ad15d508f0
commit 6b7eaf87b6
4 changed files with 87 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
CVE-2024-34402.patch Normal file
View File

@ -0,0 +1,44 @@
From 760ade2947415dbb100053cf793c2f96fe257386 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 28 Apr 2024 21:26:45 +0200
Subject: [PATCH] Protect against integer overflow in ComposeQueryEngine
Requires string input that is longer than INT_MAX to exploit.
---
src/UriQuery.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/src/UriQuery.c b/src/UriQuery.c
index b2734bc2..29c6f473 100644
--- a/src/UriQuery.c
+++ b/src/UriQuery.c
@@ -70,6 +70,7 @@
#include <limits.h>
+#include <stddef.h> /* size_t */
@@ -218,16 +219,16 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest,
const URI_CHAR * const key = queryList->key;
const URI_CHAR * const value = queryList->value;
const int worstCase = (normalizeBreaks == URI_TRUE ? 6 : 3);
- const int keyLen = (key == NULL) ? 0 : (int)URI_STRLEN(key);
+ const size_t keyLen = (key == NULL) ? 0 : URI_STRLEN(key);
int keyRequiredChars;
- const int valueLen = (value == NULL) ? 0 : (int)URI_STRLEN(value);
+ const size_t valueLen = (value == NULL) ? 0 : URI_STRLEN(value);
int valueRequiredChars;
- if ((keyLen >= INT_MAX / worstCase) || (valueLen >= INT_MAX / worstCase)) {
+ if ((keyLen >= (size_t)INT_MAX / worstCase) || (valueLen >= (size_t)INT_MAX / worstCase)) {
return URI_ERROR_OUTPUT_TOO_LARGE;
}
- keyRequiredChars = worstCase * keyLen;
- valueRequiredChars = worstCase * valueLen;
+ keyRequiredChars = worstCase * (int)keyLen;
+ valueRequiredChars = worstCase * (int)valueLen;
if (dest == NULL) {
(*charsRequired) += ampersandLen + keyRequiredChars + ((value == NULL)

29
CVE-2024-34403.patch Normal file
View File

@ -0,0 +1,29 @@
From bb6b9b3f25fbafeb12dac68574d9f677b09880e3 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 28 Apr 2024 21:57:27 +0200
Subject: [PATCH] Protect against integer overflow in ComposeQueryMallocExMm
Requires string input that is longer than INT_MAX / 6 - 1 to exploit.
---
src/UriQuery.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/UriQuery.c b/src/UriQuery.c
index b2734bc2..4885ff05 100644
--- a/src/UriQuery.c
+++ b/src/UriQuery.c
@@ -177,10 +177,13 @@ int URI_FUNC(ComposeQueryMallocExMm)(URI_CHAR ** dest,
if (res != URI_SUCCESS) {
return res;
}
+ if (charsRequired == INT_MAX) {
+ return URI_ERROR_MALLOC;
+ }
charsRequired++;
/* Allocate space */
- queryString = memory->malloc(memory, charsRequired * sizeof(URI_CHAR));
+ queryString = memory->calloc(memory, charsRequired, sizeof(URI_CHAR));
if (queryString == NULL) {
return URI_ERROR_MALLOC;
}

9
uriparser.changes
View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Wed May 29 08:35:29 UTC 2024 - Adam Majer <adam.majer@suse.de>
- CVE-2024-34402.patch: Protect against integer overflow in
ComposeQueryEngine (bsc#1223887, CVE-2024-34402)
- CVE-2024-34403.patch: Protect against integer overflow in
ComposeQueryMallocExMm (bsc#1223888, CVE-2024-34403)
- enable unit tests
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Oct 17 11:52:32 UTC 2022 - Dirk Müller <dmueller@suse.com> Mon Oct 17 11:52:32 UTC 2022 - Dirk Müller <dmueller@suse.com>

8
uriparser.spec
View File

@ -16,7 +16,7 @@
# #
%bcond_with googletest %bcond_without googletest
%define so_ver 1 %define so_ver 1
Name: uriparser Name: uriparser
@ -28,6 +28,8 @@ Group: Development/Libraries/C and C++
URL: https://uriparser.github.io URL: https://uriparser.github.io
Source: https://github.com/uriparser/uriparser/releases/download/uriparser-%{version}/uriparser-%{version}.tar.xz Source: https://github.com/uriparser/uriparser/releases/download/uriparser-%{version}/uriparser-%{version}.tar.xz
Source1: baselibs.conf Source1: baselibs.conf
Patch1: CVE-2024-34402.patch
Patch2: CVE-2024-34403.patch
BuildRequires: cmake BuildRequires: cmake
BuildRequires: doxygen BuildRequires: doxygen
BuildRequires: fdupes BuildRequires: fdupes
@ -91,7 +93,7 @@ and supports Unicode.
This subpackage contains the documentation for %{name}. This subpackage contains the documentation for %{name}.
%prep %prep
%setup -q -n %{name}-%{version} %autosetup -p1
%build %build
%cmake \ %cmake \
@ -115,7 +117,7 @@ This subpackage contains the documentation for %{name}.
%if %{with googletest} %if %{with googletest}
%check %check
export MALLOC_CHECK_=2 MALLOC_PERTURB_=$((${RANDOM:-256} % 256)) export MALLOC_CHECK_=2 MALLOC_PERTURB_=$((${RANDOM:-256} % 256))
make %{?_smp_mflags} check %ctest
unset MALLOC_CHECK_ MALLOC_PERTURB_ unset MALLOC_CHECK_ MALLOC_PERTURB_
%endif %endif