packages/libarchive
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!1 libarchive: bugfix about CVE-2019-19221

Browse Source 
Merge pull request !1 from orange-snn/init
This commit is contained in:
openeuler-ci-bot 2020-01-03 16:50:09 +08:00 committed by Gitee
commit 06816159a5
2 changed files with 106 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
libarchive-CVE-2019-19221.patch Normal file
View File

@ -0,0 +1,98 @@
From 22b1db9d46654afc6f0c28f90af8cdc84a199f41 Mon Sep 17 00:00:00 2001
From: Martin Matuska <martin@matuska.org>
Date: Thu, 21 Nov 2019 03:08:40 +0100
Subject: [PATCH] Bugfix and optimize archive_wstring_append_from_mbs()
The cal to mbrtowc() or mbtowc() should read up to mbs_length
bytes and not wcs_length. This avoids out-of-bounds reads.
mbrtowc() and mbtowc() return (size_t)-1 wit errno EILSEQ when
they encounter an invalid multibyte character and (size_t)-2 when
they they encounter an incomplete multibyte character. As we return
failure and all our callers error out it makes no sense to continue
parsing mbs.
As we allocate `len` wchars at the beginning and each wchar has
at least one byte, there will never be need to grow the buffer,
so the code can be left out. On the other hand, we are always
allocatng more memory than we need.
As long as wcs_length == mbs_length == len we can omit wcs_length.
We keep the old code commented if we decide to save memory and
use autoexpanding wcs_length in the future.
Fixes #1276
---
libarchive/archive_string.c | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
index 979a418b6..bd39c96f1 100644
--- a/libarchive/archive_string.c
+++ b/libarchive/archive_string.c
@@ -591,7 +591,7 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
* No single byte will be more than one wide character,
* so this length estimate will always be big enough.
*/
- size_t wcs_length = len;
+ // size_t wcs_length = len;
size_t mbs_length = len;
const char *mbs = p;
wchar_t *wcs;
@@ -600,7 +600,11 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
memset(&shift_state, 0, sizeof(shift_state));
#endif
- if (NULL == archive_wstring_ensure(dest, dest->length + wcs_length + 1))
+ /*
+ * As we decided to have wcs_length == mbs_length == len
+ * we can use len here instead of wcs_length
+ */
+ if (NULL == archive_wstring_ensure(dest, dest->length + len + 1))
return (-1);
wcs = dest->s + dest->length;
/*
@@ -609,6 +613,12 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
* multi bytes.
*/
while (*mbs && mbs_length > 0) {
+ /*
+ * The buffer we allocated is always big enough.
+ * Keep this code path in a comment if we decide to choose
+ * smaller wcs_length in the future
+ */
+/*
if (wcs_length == 0) {
dest->length = wcs - dest->s;
dest->s[dest->length] = L'\0';
@@ -618,24 +628,20 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
return (-1);
wcs = dest->s + dest->length;
}
+*/
#if HAVE_MBRTOWC
- r = mbrtowc(wcs, mbs, wcs_length, &shift_state);
+ r = mbrtowc(wcs, mbs, mbs_length, &shift_state);
#else
- r = mbtowc(wcs, mbs, wcs_length);
+ r = mbtowc(wcs, mbs, mbs_length);
#endif
if (r == (size_t)-1 || r == (size_t)-2) {
ret_val = -1;
- if (errno == EILSEQ) {
- ++mbs;
- --mbs_length;
- continue;
- } else
- break;
+ break;
}
if (r == 0 || r > mbs_length)
break;
wcs++;
- wcs_length--;
+ // wcs_length--;
mbs += r;
mbs_length -= r;
}

9
libarchive.spec
View File

@ -2,7 +2,7 @@
Name: libarchive
Version: 3.4.0
Release: 2
Release: 3
Summary: Multi-format archive and compression library
License: BSD
@ -10,6 +10,7 @@ URL: https://www.%{name}.org/
Source0: https://www.%{name}.org/downloads/%{name}-%{version}.tar.gz
Patch0: libarchive-fix-zstd-test.patch
Patch1: libarchive-CVE-2019-19221.patch
BuildRequires: gcc bison sharutils zlib-devel bzip2-devel xz-devel
BuildRequires: lzo-devel e2fsprogs-devel libacl-devel libattr-devel
@ -147,6 +148,12 @@ run_testsuite
%{_mandir}/man5/*
%changelog
* Thu Jan 3 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.4.0-3
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:bugfix about CVE-2019-19221.patch
* Wed Oct 9 2019 openEuler Buildteam <buildteam@openeuler.org> - 3.4.0-2
- Type:bugfix
- Id:NA