fix CVE-2024-40897

(cherry picked from commit 183ceac84240a7055ff8b183dd017cee8d4ad9c8)

backport-0001-CVE-2024-40897.patch

@@ -0,0 +1,91 @@
+From fb7db9ae3e8ac271651d1884a3611d30bac04a98 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 9 Jul 2024 12:11:37 +0300
+Subject: [PATCH 1/2] Use vasprintf() if available for error messages and
+ otherwise vsnprintf()
+
+vasprintf() is a GNU/BSD extension and would allocate as much memory as required
+on the heap, similar to g_strdup_printf(). It's ridiculous that such a function
+is still not provided as part of standard C.
+
+If it's not available, use vsnprintf() to at least avoid stack/heap buffer
+overflows, which can lead to arbitrary code execution.
+
+Thanks to Noriko Totsuka for reporting.
+
+Fixes JVN#02030803 / JPCERT#92912620 / CVE-2024-40897
+Fixes #69
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/orc/-/merge_requests/191>
+---
+ meson.build       |  1 +
+ orc/orccompiler.c |  7 +++++--
+ orc/orcparse.c    | 14 ++++++++++----
+ 3 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index d83441c..4b6c225 100644
+--- a/meson.build
++++ b/meson.build
+@@ -128,6 +128,7 @@ int main() {
+ '''
+ cdata.set('HAVE_MONOTONIC_CLOCK', cc.compiles(monotonic_test))
+ cdata.set('HAVE_GETTIMEOFDAY', cc.has_function('gettimeofday'))
++cdata.set('HAVE_VASPRINTF', cc.has_function('vasprintf'))
+ cdata.set('HAVE_POSIX_MEMALIGN', cc.has_function('posix_memalign', prefix : '#include <stdlib.h>'))
+ cdata.set('HAVE_MMAP', cc.has_function('mmap'))
+ cdata.set('HAVE_SYS_TIME_H', cc.has_header('sys/time.h'))
+diff --git a/orc/orccompiler.c b/orc/orccompiler.c
+index 94d06d3..b3152e7 100644
+--- a/orc/orccompiler.c
++++ b/orc/orccompiler.c
+@@ -1331,9 +1331,12 @@ orc_compiler_error_valist (OrcCompiler *compiler, const char *fmt,
+   char *s;
+ 
+   if (compiler->error_msg) return;
+-
++#ifdef HAVE_VASPRINTF
++  vasprintf (&s, fmt, args);
++#else
+   s = malloc (ORC_COMPILER_ERROR_BUFFER_SIZE);
+-  vsprintf (s, fmt, args);
++  vsnprintf (s, ORC_COMPILER_ERROR_BUFFER_SIZE, fmt, args);
++#endif
+   compiler->error_msg = s;
+   compiler->error = TRUE;
+   compiler->result = ORC_COMPILE_RESULT_UNKNOWN_COMPILE;
+diff --git a/orc/orcparse.c b/orc/orcparse.c
+index b0d6709..8888de4 100644
+--- a/orc/orcparse.c
++++ b/orc/orcparse.c
+@@ -424,17 +424,23 @@ orc_parse_get_error_where (OrcParser *parser)
+ static void
+ orc_parse_add_error_valist (OrcParser *parser, const char *format, va_list args)
+ {
+-  char text[ORC_ERROR_LENGTH] = { '\0' };
+-
+   if (parser->error_program != parser->program) {
+     parser->error_program = parser->program;
+   }
+-
+-  vsprintf (text, format, args);
++#ifdef HAVE_VASPRINTF
++  char *text;
++  vasprintf (&text, format, args);
++#else
++  char text[ORC_ERROR_LENGTH] = { '\0' };
++  vsnprintf (text, sizeof (text), format, args);
++#endif
+ 
+   orc_vector_append (&parser->errors,
+                      orc_parse_error_new (orc_parse_get_error_where (parser),
+                                           parser->line_number, -1, text));
++#ifdef HAVE_VASPRINTF
++  free (text);
++#endif  
+ }
+ 
+ static void
+-- 
+2.27.0
+

backport-0002-CVE-2024-40897.patch

@@ -0,0 +1,54 @@
+From abd75edff9de9a06d0531b9db50963a0da42145c Mon Sep 17 00:00:00 2001
+From: "L. E. Segovia" <amy@centricular.com>
+Date: Tue, 9 Jul 2024 12:03:53 -0300
+Subject: [PATCH 2/2] orccompiler, orcparse: Use secure UCRT printing functions
+ on Windows
+
+See #69
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/orc/-/merge_requests/191>
+---
+ orc/orccompiler.c | 5 ++++-
+ orc/orcparse.c    | 5 ++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/orc/orccompiler.c b/orc/orccompiler.c
+index b3152e7..f3bb7c0 100644
+--- a/orc/orccompiler.c
++++ b/orc/orccompiler.c
+@@ -1328,11 +1328,14 @@ static void
+ orc_compiler_error_valist (OrcCompiler *compiler, const char *fmt,
+     va_list args)
+ {
+-  char *s;
++  char *s = NULL;
+ 
+   if (compiler->error_msg) return;
+ #ifdef HAVE_VASPRINTF
+   vasprintf (&s, fmt, args);
++#elif defined(_UCRT)
++  s = malloc (ORC_COMPILER_ERROR_BUFFER_SIZE);
++  vsnprintf_s (s, ORC_COMPILER_ERROR_BUFFER_SIZE, _TRUNCATE, fmt, args);  
+ #else
+   s = malloc (ORC_COMPILER_ERROR_BUFFER_SIZE);
+   vsnprintf (s, ORC_COMPILER_ERROR_BUFFER_SIZE, fmt, args);
+diff --git a/orc/orcparse.c b/orc/orcparse.c
+index 8888de4..3bebd1a 100644
+--- a/orc/orcparse.c
++++ b/orc/orcparse.c
+@@ -428,8 +428,11 @@ orc_parse_add_error_valist (OrcParser *parser, const char *format, va_list args)
+     parser->error_program = parser->program;
+   }
+ #ifdef HAVE_VASPRINTF
+-  char *text;
++  char *text = NULL;
+   vasprintf (&text, format, args);
++#elif defined(_UCRT)
++  char text[ORC_ERROR_LENGTH] = { '\0' };
++  vsnprintf_s (text, ORC_ERROR_LENGTH, _TRUNCATE, format, args);  
+ #else
+   char text[ORC_ERROR_LENGTH] = { '\0' };
+   vsnprintf (text, sizeof (text), format, args);
+-- 
+2.27.0
+

orc.spec

@@ -1,11 +1,14 @@
 Name:    orc
 Version: 0.4.34
-Release: 1
+Release: 2
 Summary: The Oil Run-time Compiler
 License: BSD
 URL:     http://cgit.freedesktop.org/gstreamer/orc/
 Source0: http://gstreamer.freedesktop.org/src/orc/%{name}-%{version}.tar.xz
 
+Patch6000: backport-0001-CVE-2024-40897.patch
+Patch6001: backport-0002-CVE-2024-40897.patch
+
 BuildRequires: gtk-doc libtool
 BuildRequires: meson >= 0.47.0
 
@@ -80,6 +83,9 @@ The Orc compiler.
 %doc %{_datadir}/gtk-doc/html/orc/
 
 %changelog
+* Mon Jul 29  2024 baiguo <baiguo@kylinos.cn> - 0.4.34-2
+- Use vasprintf() if available for error messages and otherwise vsnprintf();orccompiler, orcparse: Use secure UCRT printing functions on Windows
+
 * Wed Jul 12 2023 dillon chen <dillon.chen@gmail.com> - 0.4.34-1
 - update to 0.4.34