diff --git a/libical-bugfix-Cap-the-number-of-parameters.patch b/libical-bugfix-Cap-the-number-of-parameters.patch new file mode 100644 index 0000000..3352f21 --- /dev/null +++ b/libical-bugfix-Cap-the-number-of-parameters.patch @@ -0,0 +1,69 @@ +From 97abaada05f20973a710e194ce7c91c80bf39fe6 Mon Sep 17 00:00:00 2001 +From: orange-snn +Date: Tue, 10 Mar 2020 16:44:19 +0800 +Subject: [PATCH] vvv + +--- + src/libical/icalparser.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/libical/icalparser.c b/src/libical/icalparser.c +index 5715036..416080d 100644 +--- a/src/libical/icalparser.c ++++ b/src/libical/icalparser.c +@@ -46,6 +46,9 @@ + + #define TMP_BUF_SIZE 80 + ++#define MAXIMUM_ALLOWED_PARAMETERS 100 ++#define MAXIMUM_ALLOWED_MULTIPLE_VALUES 500 ++ + struct icalparser_impl + { + int buffer_full; /* flag indicates that temp is smaller that +@@ -689,6 +692,7 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line) + { + char *str; + char *end; ++ int pcount = 0; + int vcount = 0; + icalproperty *prop; + icalproperty_kind prop_kind; +@@ -864,7 +868,7 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line) + + /* Now, add any parameters to the last property */ + +- while (1) { ++ while (pcount < MAXIMUM_ALLOWED_PARAMETERS) { + if (*(end - 1) == ':') { + /* if the last separator was a ":" and the value is a + URL, icalparser_get_next_parameter will find the +@@ -1083,6 +1087,7 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line) + + icalmemory_free_buffer(str); + str = NULL; ++ pcount++; + continue; + } + } +@@ -1092,7 +1097,7 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line) + tail = 0; + icalmemory_free_buffer(str); + str = NULL; +- ++ pcount++; + } else { + /* str is NULL */ + break; +@@ -1109,7 +1114,7 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line) + parameter and add one part of the value to each clone */ + + vcount = 0; +- while (1) { ++ while (vcount < MAXIMUM_ALLOWED_MULTIPLE_VALUES) { + /* Only some properties can have multiple values. This list was taken + from rfc5545. Also added the x-properties, because the spec actually + says that commas should be escaped. For x-properties, other apps may +-- +1.8.3.1 + diff --git a/libical-bugfix-Reset-the-parser-level-to-0.patch b/libical-bugfix-Reset-the-parser-level-to-0.patch new file mode 100644 index 0000000..007f49e --- /dev/null +++ b/libical-bugfix-Reset-the-parser-level-to-0.patch @@ -0,0 +1,36 @@ +From fdeb2c05160969a3251eda1b3dbd7f855656fd12 Mon Sep 17 00:00:00 2001 +From: Kent Sutherland +Date: Sat, 11 May 2019 19:59:03 +0000 +Subject: [PATCH] Reset the parser level to 0 when encountering a line with END + before BEGIN Fixes memory leaks caused by the parser behaving incorrectly + when the level is negative. oss-fuzz issue 14480, 14151, 14152, 14153, 14155. + +--- + src/libical/icalparser.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/libical/icalparser.c b/src/libical/icalparser.c +index 0530a4b..6d54a7c 100644 +--- a/src/libical/icalparser.c ++++ b/src/libical/icalparser.c +@@ -795,8 +795,15 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line) + icalmemory_free_buffer(str); + str = NULL; + +- /* Return the component if we are back to the 0th level */ +- if (parser->level == 0) { ++ if (parser->level < 0) { ++ // Encountered an END before any BEGIN, this must be invalid data ++ icalerror_warn("Encountered END before BEGIN"); ++ ++ parser->state = ICALPARSER_ERROR; ++ parser->level = 0; ++ return 0; ++ } else if (parser->level == 0) { ++ /* Return the component if we are back to the 0th level */ + icalcomponent *rtrn; + + if (pvl_count(parser->components) != 0) { +-- +2.19.1 + diff --git a/libical-bugfix-attempt-to-make-Coverity-happy.patch b/libical-bugfix-attempt-to-make-Coverity-happy.patch new file mode 100644 index 0000000..50b89d8 --- /dev/null +++ b/libical-bugfix-attempt-to-make-Coverity-happy.patch @@ -0,0 +1,31 @@ +From 5048c2e6084bc0df1a80416bf9760f03e243bb09 Mon Sep 17 00:00:00 2001 +From: Allen Winter +Date: Sun, 12 May 2019 16:55:44 -0400 +Subject: [PATCH] another attempt to make Coverity happy + +--- + src/libical/icalparser.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/libical/icalparser.c b/src/libical/icalparser.c +index 6d54a7c..de7a2a4 100644 +--- a/src/libical/icalparser.c ++++ b/src/libical/icalparser.c +@@ -1004,7 +1004,13 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line) + /* Reparse the parameter name and value with the new segment */ + if (!parser_get_param_name_stack(str, name_stack, sizeof(name_stack), + pvalue_stack, sizeof(pvalue_stack))) { +- if (name_heap) { ++ ++ if (pvalue_heap) { ++ icalmemory_free_buffer(pvalue_heap); ++ pvalue_heap = 0; ++ pvalue = 0; ++ } ++ if (name_heap) { + icalmemory_free_buffer(name_heap); + name = 0; + } +-- +2.19.1 + diff --git a/libical-bugfix-timeout-found-by-fuzzer.patch b/libical-bugfix-timeout-found-by-fuzzer.patch new file mode 100644 index 0000000..3ae9d09 --- /dev/null +++ b/libical-bugfix-timeout-found-by-fuzzer.patch @@ -0,0 +1,52 @@ +From 3eacf85ec9dd638c2023c89c2a6cdf61107fc617 Mon Sep 17 00:00:00 2001 +From: Kent Sutherland +Date: Fri, 14 Jun 2019 15:21:59 -0500 +Subject: [PATCH] Fix timeout found by fuzzer (oss-fuzz issue 14881) strspn is + really slow compared to doing direct comparisons + +--- + src/libical/icalparser.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/src/libical/icalparser.c b/src/libical/icalparser.c +index fa92495..0530a4b 100644 +--- a/src/libical/icalparser.c ++++ b/src/libical/icalparser.c +@@ -221,21 +221,29 @@ static void parser_decode_param_value(char *value) + char *in, *out; + + for (in = out = value; *in; in++, out++) { +- if (*in == '^' && strspn(in+1, "n^'")) { +- switch (*++in) { +- case 'n': ++ int found_escaped_char = 0; ++ ++ if(*in == '^'){ ++ switch (*(in + 1)) { ++ case 'n': + *out = '\n'; ++ found_escaped_char = 1; + break; +- + case '^': + *out = '^'; ++ found_escaped_char = 1; + break; + + case '\'': + *out = '"'; ++ found_escaped_char = 1; + break; + } +- } else { ++ } ++ ++ if(found_escaped_char) { ++ ++in; ++ } else { + *out = *in; + } + } +-- +2.19.1 + diff --git a/libical.spec b/libical.spec index d8a78ef..35497af 100644 --- a/libical.spec +++ b/libical.spec @@ -1,6 +1,6 @@ Name: libical Version: 3.0.4 -Release: 1 +Release: 2 Summary: An Open Source implementation of the iCalendar protocols and protocol data formats. License: LGPLv2 or MPLv2.0 URL: https://libical.github.io/libical/ @@ -13,6 +13,11 @@ Requires: tzdata Provides: libical-glib = %{version}-%{release} Obsoletes: libical-glib < %{version}-%{release} +Patch6001: libical-bugfix-Cap-the-number-of-parameters.patch +Patch6002: libical-bugfix-timeout-found-by-fuzzer.patch +Patch6003: libical-bugfix-Reset-the-parser-level-to-0.patch +Patch6004: libical-bugfix-attempt-to-make-Coverity-happy.patch + %description Libical is an open source implementation of the IETF's iCalendar calendaring and scheduling protocols (RFC 2445, 2446, and 2447). @@ -74,6 +79,9 @@ make test ARGS="-V" -C %{_target_platform} %{_datadir}/gtk-doc/html/%{name}-glib %changelog +* Tue Mar 10 2020 songnannan - 3.0.4-2 +- bugfix in oss-fuzz + * Fri Jan 10 2020 openEuler Buildteam - 3.0.4-1 - Type:bugfix - Id:NA