From 1254da9759827c7573e90d7f78048ef6a84cfe1713c747efd02583a5392c2394 Mon Sep 17 00:00:00 2001
From: Matej Cepl <mcepl@suse.com>
Date: Thu, 8 Jul 2021 21:55:28 +0000
Subject: [PATCH] Accepting request 905118 from
 home:mcepl:branches:devel:libraries:c_c++

- Add CVE-2021-22918.patch: patch libuv to fix out of bounds read
  (Medium) (bsc#1187973, CVE-2021-22918)

OBS-URL: https://build.opensuse.org/request/show/905118
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libuv?expand=0&rev=52
---
 CVE-2021-22918.patch | 146 +++++++++++++++++++++++++++++++++++++++++++
 fix_tests.patch      |  18 +++---
 libuv.changes        |   6 ++
 libuv.spec           |   3 +
 4 files changed, 165 insertions(+), 8 deletions(-)
 create mode 100644 CVE-2021-22918.patch

diff --git a/CVE-2021-22918.patch b/CVE-2021-22918.patch
new file mode 100644
index 0000000..edb7032
--- /dev/null
+++ b/CVE-2021-22918.patch
@@ -0,0 +1,146 @@
+---
+ src/idna.c |   49 ++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 36 insertions(+), 13 deletions(-)
+
+--- a/src/idna.c
++++ b/src/idna.c
+@@ -19,6 +19,7 @@
+ 
+ #include "uv.h"
+ #include "idna.h"
++#include <assert.h>
+ #include <string.h>
+ 
+ static unsigned uv__utf8_decode1_slow(const char** p,
+@@ -32,7 +33,7 @@ static unsigned uv__utf8_decode1_slow(co
+   if (a > 0xF7)
+     return -1;
+ 
+-  switch (*p - pe) {
++  switch (pe - *p) {
+   default:
+     if (a > 0xEF) {
+       min = 0x10000;
+@@ -62,6 +63,8 @@ static unsigned uv__utf8_decode1_slow(co
+       a = 0;
+       break;
+     }
++    /* Fall through. */
++  case 0:
+     return -1;  /* Invalid continuation byte. */
+   }
+ 
+@@ -88,6 +91,8 @@ static unsigned uv__utf8_decode1_slow(co
+ unsigned uv__utf8_decode1(const char** p, const char* pe) {
+   unsigned a;
+ 
++  assert(*p < pe);
++
+   a = (unsigned char) *(*p)++;
+ 
+   if (a < 128)
+@@ -96,9 +101,6 @@ unsigned uv__utf8_decode1(const char** p
+   return uv__utf8_decode1_slow(p, pe, a);
+ }
+ 
+-#define foreach_codepoint(c, p, pe) \
+-  for (; (void) (*p <= pe && (c = uv__utf8_decode1(p, pe))), *p <= pe;)
+-
+ static int uv__idna_toascii_label(const char* s, const char* se,
+                                   char** d, char* de) {
+   static const char alphabet[] = "abcdefghijklmnopqrstuvwxyz0123456789";
+@@ -121,15 +123,22 @@ static int uv__idna_toascii_label(const
+   ss = s;
+   todo = 0;
+ 
+-  foreach_codepoint(c, &s, se) {
++  /* Note: after this loop we've visited all UTF-8 characters and know
++   * they're legal so we no longer need to check for decode errors.
++   */
++  while (s < se) {
++    c = uv__utf8_decode1(&s, se);
++
++    if (c == -1u)
++      return UV_EINVAL;
++
+     if (c < 128)
+       h++;
+-    else if (c == (unsigned) -1)
+-      return UV_EINVAL;
+     else
+       todo++;
+   }
+ 
++  /* Only write "xn--" when there are non-ASCII characters. */
+   if (todo > 0) {
+     if (*d < de) *(*d)++ = 'x';
+     if (*d < de) *(*d)++ = 'n';
+@@ -137,9 +146,13 @@ static int uv__idna_toascii_label(const
+     if (*d < de) *(*d)++ = '-';
+   }
+ 
++  /* Write ASCII characters. */
+   x = 0;
+   s = ss;
+-  foreach_codepoint(c, &s, se) {
++  while (s < se) {
++    c = uv__utf8_decode1(&s, se);
++    assert(c != -1u);
++
+     if (c > 127)
+       continue;
+ 
+@@ -166,10 +179,15 @@ static int uv__idna_toascii_label(const
+   while (todo > 0) {
+     m = -1;
+     s = ss;
+-    foreach_codepoint(c, &s, se)
++
++    while (s < se) {
++      c = uv__utf8_decode1(&s, se);
++      assert(c != -1u);
++
+       if (c >= n)
+         if (c < m)
+           m = c;
++    }
+ 
+     x = m - n;
+     y = h + 1;
+@@ -181,7 +199,10 @@ static int uv__idna_toascii_label(const
+     n = m;
+ 
+     s = ss;
+-    foreach_codepoint(c, &s, se) {
++    while (s < se) {
++      c = uv__utf8_decode1(&s, se);
++      assert(c != -1u);
++
+       if (c < n)
+         if (++delta == 0)
+           return UV_E2BIG;  /* Overflow. */
+@@ -245,8 +266,6 @@ static int uv__idna_toascii_label(const
+   return 0;
+ }
+ 
+-#undef foreach_codepoint
+-
+ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
+   const char* si;
+   const char* st;
+@@ -256,10 +275,14 @@ long uv__idna_toascii(const char* s, con
+ 
+   ds = d;
+ 
+-  for (si = s; si < se; /* empty */) {
++  si = s;
++  while (si < se) {
+     st = si;
+     c = uv__utf8_decode1(&si, se);
+ 
++    if (c == -1u)
++      return UV_EINVAL;
++
+     if (c != '.')
+       if (c != 0x3002)  /* 。 */
+         if (c != 0xFF0E)  /* ． */
diff --git a/fix_tests.patch b/fix_tests.patch
index 46ffe08..4de70ed 100644
--- a/fix_tests.patch
+++ b/fix_tests.patch
@@ -1,7 +1,9 @@
-Index: libuv-v1.39.0/test/test-list.h
-===================================================================
---- libuv-v1.39.0.orig/test/test-list.h
-+++ libuv-v1.39.0/test/test-list.h
+---
+ test/test-list.h |   11 -----------
+ 1 file changed, 11 deletions(-)
+
+--- a/test/test-list.h
++++ b/test/test-list.h
 @@ -78,7 +78,6 @@ TEST_DECLARE   (tty_pty)
  TEST_DECLARE   (stdio_over_pipes)
  TEST_DECLARE   (stdio_emulate_iocp)
@@ -10,7 +12,7 @@ Index: libuv-v1.39.0/test/test-list.h
  TEST_DECLARE   (ipc_heavy_traffic_deadlock_bug)
  TEST_DECLARE   (ipc_listen_before_write)
  TEST_DECLARE   (ipc_listen_after_write)
-@@ -166,11 +165,7 @@ TEST_DECLARE   (udp_send_hang_loop)
+@@ -167,11 +166,7 @@ TEST_DECLARE   (udp_send_hang_loop)
  TEST_DECLARE   (udp_send_immediate)
  TEST_DECLARE   (udp_send_unreachable)
  TEST_DECLARE   (udp_mmsg)
@@ -22,7 +24,7 @@ Index: libuv-v1.39.0/test/test-list.h
  TEST_DECLARE   (udp_dgram_too_big)
  TEST_DECLARE   (udp_dual_stack)
  TEST_DECLARE   (udp_ipv6_only)
-@@ -600,7 +595,6 @@ TASK_LIST_START
+@@ -604,7 +599,6 @@ TASK_LIST_START
    TEST_ENTRY  (stdio_over_pipes)
    TEST_ENTRY  (stdio_emulate_iocp)
    TEST_ENTRY  (ip6_pton)
@@ -30,7 +32,7 @@ Index: libuv-v1.39.0/test/test-list.h
    TEST_ENTRY  (ipc_heavy_traffic_deadlock_bug)
    TEST_ENTRY  (ipc_listen_before_write)
    TEST_ENTRY  (ipc_listen_after_write)
-@@ -731,10 +725,6 @@ TASK_LIST_START
+@@ -741,10 +735,6 @@ TASK_LIST_START
    TEST_ENTRY  (udp_options6)
    TEST_ENTRY  (udp_no_autobind)
    TEST_ENTRY  (udp_mmsg)
@@ -41,7 +43,7 @@ Index: libuv-v1.39.0/test/test-list.h
    TEST_ENTRY  (udp_multicast_ttl)
    TEST_ENTRY  (udp_sendmmsg_error)
    TEST_ENTRY  (udp_try_send)
-@@ -872,7 +862,6 @@ TASK_LIST_START
+@@ -882,7 +872,6 @@ TASK_LIST_START
  
    TEST_ENTRY  (getnameinfo_basic_ip4)
    TEST_ENTRY  (getnameinfo_basic_ip4_sync)
diff --git a/libuv.changes b/libuv.changes
index 615b83f..870c6b9 100644
--- a/libuv.changes
+++ b/libuv.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Jul  8 20:02:46 UTC 2021 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2021-22918.patch: patch libuv to fix out of bounds read
+  (Medium) (bsc#1187973, CVE-2021-22918)
+
 -------------------------------------------------------------------
 Tue Feb 23 22:43:09 UTC 2021 - Dirk Müller <dmueller@suse.com>
 
diff --git a/libuv.spec b/libuv.spec
index 82926ab..0e32331 100644
--- a/libuv.spec
+++ b/libuv.spec
@@ -29,6 +29,9 @@ Source1:        https://dist.libuv.org/dist/v%{version}/libuv-v%{version}.tar.gz
 Source2:        %{name}.keyring
 Source3:        baselibs.conf
 Patch1:         fix_tests.patch
+# PATCH-FIX-UPSTREAM CVE-2021-22918.patch bsc#[0-9]+ mcepl@suse.com
+# fix OOB read in punycode decoder (CVE-2021-22918, bsc#1187973)
+Patch2:         CVE-2021-22918.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool