bugfix in oss-fuzz

2020-03-10 17:14:31 +08:00 · 2020-03-10 17:14:31 +08:00 · 17635af0d5
commit 17635af0d5
parent 62af6d8a51
5 changed files with 197 additions and 1 deletions
--- a/libical-bugfix-Cap-the-number-of-parameters.patch
+++ b/libical-bugfix-Cap-the-number-of-parameters.patch
@ -0,0 +1,69 @@
 From 97abaada05f20973a710e194ce7c91c80bf39fe6 Mon Sep 17 00:00:00 2001
 From: orange-snn <songnannan2@huawei.com>
 Date: Tue, 10 Mar 2020 16:44:19 +0800
 Subject: [PATCH] vvv
 ---
 src/libical/icalparser.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)
 diff --git a/src/libical/icalparser.c b/src/libical/icalparser.c
 index 5715036..416080d 100644
 --- a/src/libical/icalparser.c
 +++ b/src/libical/icalparser.c
@@ -46,6 +46,9 @@
 #define TMP_BUF_SIZE 80
 +#define MAXIMUM_ALLOWED_PARAMETERS 100
 +#define MAXIMUM_ALLOWED_MULTIPLE_VALUES 500
 +
 struct icalparser_impl
 {
     int buffer_full;    /* flag indicates that temp is smaller that
@@ -689,6 +692,7 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line)
 {
     char *str;
     char *end;
 +    int pcount = 0;
     int vcount = 0;
     icalproperty *prop;
     icalproperty_kind prop_kind;
@@ -864,7 +868,7 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line)
     /* Now, add any parameters to the last property */
 -    while (1) {
 +    while (pcount < MAXIMUM_ALLOWED_PARAMETERS) {
         if (*(end - 1) == ':') {
             /* if the last separator was a ":" and the value is a
                URL, icalparser_get_next_parameter will find the
@@ -1083,6 +1087,7 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line)
                     icalmemory_free_buffer(str);
                     str = NULL;
 +		    pcount++;
                     continue;
                 }
             }
@@ -1092,7 +1097,7 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line)
             tail = 0;
             icalmemory_free_buffer(str);
             str = NULL;
 -
 +	    pcount++;
         } else {
             /* str is NULL */
             break;
@@ -1109,7 +1114,7 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line)
        parameter and add one part of the value to each clone */
     vcount = 0;
 -    while (1) {
 +    while (vcount < MAXIMUM_ALLOWED_MULTIPLE_VALUES) {
         /* Only some properties can have multiple values. This list was taken
            from rfc5545. Also added the x-properties, because the spec actually
            says that commas should be escaped. For x-properties, other apps may
 -- 
 1.8.3.1
--- a/libical-bugfix-Reset-the-parser-level-to-0.patch
+++ b/libical-bugfix-Reset-the-parser-level-to-0.patch
@ -0,0 +1,36 @@
 From fdeb2c05160969a3251eda1b3dbd7f855656fd12 Mon Sep 17 00:00:00 2001
 From: Kent Sutherland <git@ksuther.com>
 Date: Sat, 11 May 2019 19:59:03 +0000
 Subject: [PATCH] Reset the parser level to 0 when encountering a line with END
 before BEGIN Fixes memory leaks caused by the parser behaving incorrectly
 when the level is negative. oss-fuzz issue 14480, 14151, 14152, 14153, 14155.
 ---
 src/libical/icalparser.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)
 diff --git a/src/libical/icalparser.c b/src/libical/icalparser.c
 index 0530a4b..6d54a7c 100644
 --- a/src/libical/icalparser.c
 +++ b/src/libical/icalparser.c
@@ -795,8 +795,15 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line)
         icalmemory_free_buffer(str);
         str = NULL;
 -        /* Return the component if we are back to the 0th level */
 -        if (parser->level == 0) {
 +        if (parser->level < 0) {
 +            // Encountered an END before any BEGIN, this must be invalid data
 +            icalerror_warn("Encountered END before BEGIN");
 +
 +            parser->state = ICALPARSER_ERROR;
 +            parser->level = 0;
 +            return 0;
 +        } else if (parser->level == 0) {
 +            /* Return the component if we are back to the 0th level */
             icalcomponent *rtrn;
             if (pvl_count(parser->components) != 0) {
 -- 
 2.19.1
--- a/libical-bugfix-attempt-to-make-Coverity-happy.patch
+++ b/libical-bugfix-attempt-to-make-Coverity-happy.patch
@ -0,0 +1,31 @@
 From 5048c2e6084bc0df1a80416bf9760f03e243bb09 Mon Sep 17 00:00:00 2001
 From: Allen Winter <allen.winter@kdab.com>
 Date: Sun, 12 May 2019 16:55:44 -0400
 Subject: [PATCH] another attempt to make Coverity happy
 ---
 src/libical/icalparser.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
 diff --git a/src/libical/icalparser.c b/src/libical/icalparser.c
 index 6d54a7c..de7a2a4 100644
 --- a/src/libical/icalparser.c
 +++ b/src/libical/icalparser.c
@@ -1004,7 +1004,13 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line)
                 /* Reparse the parameter name and value with the new segment */
                 if (!parser_get_param_name_stack(str, name_stack, sizeof(name_stack),
                                                  pvalue_stack, sizeof(pvalue_stack))) {
 -                    if (name_heap) {
 +                    
 +		    if (pvalue_heap) {
 +                        icalmemory_free_buffer(pvalue_heap);
 +                        pvalue_heap = 0;
 +                        pvalue = 0;
 +                    }	
 +		    if (name_heap) {
                         icalmemory_free_buffer(name_heap);
                         name = 0;
                     }
 -- 
 2.19.1
--- a/libical-bugfix-timeout-found-by-fuzzer.patch
+++ b/libical-bugfix-timeout-found-by-fuzzer.patch
@ -0,0 +1,52 @@
 From 3eacf85ec9dd638c2023c89c2a6cdf61107fc617 Mon Sep 17 00:00:00 2001
 From: Kent Sutherland <git@ksuther.com>
 Date: Fri, 14 Jun 2019 15:21:59 -0500
 Subject: [PATCH] Fix timeout found by fuzzer (oss-fuzz issue 14881) strspn is
 really slow compared to doing direct comparisons
 ---
 src/libical/icalparser.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)
 diff --git a/src/libical/icalparser.c b/src/libical/icalparser.c
 index fa92495..0530a4b 100644
 --- a/src/libical/icalparser.c
 +++ b/src/libical/icalparser.c
@@ -221,21 +221,29 @@ static void parser_decode_param_value(char *value)
     char *in, *out;
     for (in = out = value; *in; in++, out++) {
 -        if (*in == '^' && strspn(in+1, "n^'")) {
 -            switch (*++in) {
 -            case 'n':
 +        int found_escaped_char = 0;
 +	
 +	if(*in == '^'){
 +	    switch (*(in + 1)) {
 +	    case 'n':
                 *out = '\n';
 +		found_escaped_char = 1;
                 break;
 -
             case '^':
                 *out = '^';
 +		found_escaped_char = 1;
                 break;
             case '\'':
                 *out = '"';
 +		found_escaped_char = 1;
                 break;
             }
 -        } else {
 +        }
 +	 
 +	if(found_escaped_char) {
 +	++in;
 +	} else {
             *out = *in;
         }
     }
 -- 
 2.19.1
--- a/libical.spec
+++ b/libical.spec
@ -1,6 +1,6 @@
 Name:           libical
 Version:        3.0.4
-Release:        1
+Release:        2
 Summary:        An Open Source implementation of the iCalendar protocols and protocol data formats.
 License:        LGPLv2 or MPLv2.0
 URL:            https://libical.github.io/libical/
@ -13,6 +13,11 @@ Requires:       tzdata
 Provides:       libical-glib = %{version}-%{release}
 Obsoletes:      libical-glib < %{version}-%{release}
 Patch6001:      libical-bugfix-Cap-the-number-of-parameters.patch
 Patch6002: 	libical-bugfix-timeout-found-by-fuzzer.patch
 Patch6003:	libical-bugfix-Reset-the-parser-level-to-0.patch
 Patch6004:	libical-bugfix-attempt-to-make-Coverity-happy.patch
 %description
 Libical is an open source implementation of the IETF's iCalendar calendaring
 and scheduling protocols (RFC 2445, 2446, and 2447).
@ -74,6 +79,9 @@ make test ARGS="-V" -C %{_target_platform}
 %{_datadir}/gtk-doc/html/%{name}-glib
 %changelog
 * Tue Mar 10 2020 songnannan <songnannan2@huawei.com> - 3.0.4-2
 - bugfix in oss-fuzz
 * Fri Jan 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.0.4-1
 - Type:bugfix
 - Id:NA