packages/snappy-java
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!2 Fix CVE-2023-34455 and CVE-2023-34454

Browse Source 
From: @wk333 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
This commit is contained in:
openeuler-ci-bot 2023-07-03 09:58:35 +00:00 committed by Gitee
commit 0fce04d986
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 335 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

205
CVE-2023-34454.patch Normal file
View File

@ -0,0 +1,205 @@
From d0042551e4a3509a725038eb9b2ad1f683674d94 Mon Sep 17 00:00:00 2001
From: aidanchiu1112 <108113174+aidanchiu1112@users.noreply.github.com>
Date: Wed, 14 Jun 2023 11:06:30 -0700
Subject: [PATCH] Merge pull request from GHSA-fjpj-2g6w-x25r
* Fixed integer overflow by checking if bytesize is bigger than input length, then throwing exception
* Fixed integer overflow by checking if bytesize is bigger than input length, then throwing exception
* Fixed integer overflow by checking if bytesize is bigger than input length, then throwing exception
* improved error messages by adding new error enum INPUT_TOO_LARGE in SnappyErrorCode.java, and added happy and sad cases in SnappyTest.java
* fixed mispelling: validArrayInputLength --> isInvalidArrayInputLength
* switched SnappyError into ILLEGAL_ARGUMENT in SnappyErrorCode.java and Snappy.java and fixed a typo in error comment
* Fix buffer size boundary tests
* Remove negative array size tests
* updated comments for unit test
Origin: https://github.com/xerial/snappy-java/commit/d0042551e4a3509a725038eb9b2ad1f683674d94
---
src/main/java/org/xerial/snappy/Snappy.java | 36 ++++++++--
.../org/xerial/snappy/SnappyErrorCode.java | 4 +-
.../java/org/xerial/snappy/SnappyTest.java | 65 +++++++++++++++++++
3 files changed, 98 insertions(+), 7 deletions(-)
diff --git a/src/main/java/org/xerial/snappy/Snappy.java b/src/main/java/org/xerial/snappy/Snappy.java
index dc81f7c..762be59 100755
--- a/src/main/java/org/xerial/snappy/Snappy.java
+++ b/src/main/java/org/xerial/snappy/Snappy.java
@@ -163,7 +163,11 @@ public class Snappy
public static byte[] compress(char[] input)
throws IOException
{
- return rawCompress(input, input.length * 2); // char uses 2 bytes
+ int byteSize = input.length * 2;
+ if (byteSize < input.length) {
+ throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
+ }
+ return rawCompress(input, byteSize); // char uses 2 bytes
}
/**
@@ -175,7 +179,11 @@ public class Snappy
public static byte[] compress(double[] input)
throws IOException
{
- return rawCompress(input, input.length * 8); // double uses 8 bytes
+ int byteSize = input.length * 8;
+ if (byteSize < input.length) {
+ throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
+ }
+ return rawCompress(input, byteSize); // double uses 8 bytes
}
/**
@@ -187,7 +195,11 @@ public class Snappy
public static byte[] compress(float[] input)
throws IOException
{
- return rawCompress(input, input.length * 4); // float uses 4 bytes
+ int byteSize = input.length * 4;
+ if (byteSize < input.length) {
+ throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
+ }
+ return rawCompress(input, byteSize); // float uses 4 bytes
}
/**
@@ -199,7 +211,11 @@ public class Snappy
public static byte[] compress(int[] input)
throws IOException
{
- return rawCompress(input, input.length * 4); // int uses 4 bytes
+ int byteSize = input.length * 4;
+ if (byteSize < input.length) {
+ throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
+ }
+ return rawCompress(input, byteSize); // int uses 4 bytes
}
/**
@@ -211,7 +227,11 @@ public class Snappy
public static byte[] compress(long[] input)
throws IOException
{
- return rawCompress(input, input.length * 8); // long uses 8 bytes
+ int byteSize = input.length * 8;
+ if (byteSize < input.length) {
+ throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
+ }
+ return rawCompress(input, byteSize); // long uses 8 bytes
}
/**
@@ -223,7 +243,11 @@ public class Snappy
public static byte[] compress(short[] input)
throws IOException
{
- return rawCompress(input, input.length * 2); // short uses 2 bytes
+ int byteSize = input.length * 2;
+ if (byteSize < input.length) {
+ throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
+ }
+ return rawCompress(input, byteSize); // short uses 2 bytes
}
/**
diff --git a/src/main/java/org/xerial/snappy/SnappyErrorCode.java b/src/main/java/org/xerial/snappy/SnappyErrorCode.java
index 4325b02..661ffd8 100755
--- a/src/main/java/org/xerial/snappy/SnappyErrorCode.java
+++ b/src/main/java/org/xerial/snappy/SnappyErrorCode.java
@@ -41,7 +41,9 @@ public enum SnappyErrorCode
FAILED_TO_UNCOMPRESS(5),
EMPTY_INPUT(6),
INCOMPATIBLE_VERSION(7),
- INVALID_CHUNK_SIZE(8);
+ INVALID_CHUNK_SIZE(8),
+ UNSUPPORTED_PLATFORM(9),
+ TOO_LARGE_INPUT(10);
public final int id;
diff --git a/src/test/java/org/xerial/snappy/SnappyTest.java b/src/test/java/org/xerial/snappy/SnappyTest.java
index 730dae9..4a863e0 100755
--- a/src/test/java/org/xerial/snappy/SnappyTest.java
+++ b/src/test/java/org/xerial/snappy/SnappyTest.java
@@ -376,4 +376,69 @@ public class SnappyTest
// But OutOfMemoryError will not be caught, and will still be thrown
}
}
+
+ /*
+ Tests happy cases for BitShuffle.shuffle method
+ - double: 0, 10
+ - float: 0, 10
+ - int: 0, 10
+ - long: 0, 10
+ - short: 0, 10
+ */
+ @Test
+ public void isValidArrayInputLength()
+ throws Exception {
+ byte[] a = Snappy.compress(new char[0]);
+ byte[] b = Snappy.compress(new double[0]);
+ byte[] c = Snappy.compress(new float[0]);
+ byte[] d = Snappy.compress(new int[0]);
+ byte[] e = Snappy.compress(new long[0]);
+ byte[] f = Snappy.compress(new short[0]);
+ byte[] g = Snappy.compress(new char[10]);
+ byte[] h = Snappy.compress(new double[10]);
+ byte[] i = Snappy.compress(new float[10]);
+ byte[] j = Snappy.compress(new int[10]);
+ byte[] k = Snappy.compress(new long[10]);
+ byte[] l = Snappy.compress(new short[10]);
+ }
+
+ /*
+ Tests sad cases for Snappy.compress
+ - Allocate a buffer whose byte size will be a bit larger than Integer.MAX_VALUE
+ - char
+ - double
+ - float
+ - int
+ - long
+ - short
+ */
+ @Test(expected = SnappyError.class)
+ public void isTooLargeDoubleArrayInputLength() throws Exception {
+ Snappy.compress(new double[Integer.MAX_VALUE / 8 + 1]);
+ }
+
+ @Test(expected = SnappyError.class)
+ public void isTooLargeCharArrayInputLength() throws Exception {
+ Snappy.compress(new char[Integer.MAX_VALUE / 2 + 1]);
+ }
+
+ @Test(expected = SnappyError.class)
+ public void isTooLargeFloatArrayInputLength() throws Exception {
+ Snappy.compress(new float[Integer.MAX_VALUE / 4 + 1]);
+ }
+
+ @Test(expected = SnappyError.class)
+ public void isTooLargeIntArrayInputLength() throws Exception {
+ Snappy.compress(new int[Integer.MAX_VALUE / 4 + 1]);
+ }
+
+ @Test(expected = SnappyError.class)
+ public void isTooLargeLongArrayInputLength() throws Exception {
+ Snappy.compress(new long[Integer.MAX_VALUE / 8 + 1]);
+ }
+
+ @Test(expected = SnappyError.class)
+ public void isTooLargeShortArrayInputLength() throws Exception {
+ Snappy.compress(new short[Integer.MAX_VALUE / 2 + 1]);
+ }
}
--
2.33.0

122
CVE-2023-34455.patch Normal file
View File

@ -0,0 +1,122 @@
From 3bf67857fcf70d9eea56eed4af7c925671e8eaea Mon Sep 17 00:00:00 2001
From: aidanchiu1112 <108113174+aidanchiu1112@users.noreply.github.com>
Date: Wed, 14 Jun 2023 10:49:52 -0700
Subject: [PATCH] Merge pull request from GHSA-qcwq-55hx-v3vh
* asserted chunksize should be in the bounds of 0-java.outofmmeoryexception
* asserted chunksize should be in the bounds of 0-java.outofmmeoryexception
* https://github.com/xerial/snappy-java-ghsa-qcwq-55hx-v3vh/pull/2
* advisory-fix-3
* added and changed method name for happy and sad cases in SnappyTest.java
* removed expected error for happy case in unit testing
* added another unit test case in SnappyTest.java and fixed comments in SnappyInputStream.java
* switched SnappyError to INVALID_CHUNK_SIZE
* Updated unit tests
Origin: https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea
---
.../org/xerial/snappy/SnappyInputStream.java | 13 ++++-
.../java/org/xerial/snappy/SnappyTest.java | 47 +++++++++++++++++++
2 files changed, 59 insertions(+), 1 deletion(-)
diff --git a/src/main/java/org/xerial/snappy/SnappyInputStream.java b/src/main/java/org/xerial/snappy/SnappyInputStream.java
index 19a68c6..f499c66 100755
--- a/src/main/java/org/xerial/snappy/SnappyInputStream.java
+++ b/src/main/java/org/xerial/snappy/SnappyInputStream.java
@@ -417,9 +417,20 @@ public class SnappyInputStream
}
}
+ // chunkSize is negative
+ if (chunkSize < 0) {
+ throw new SnappyError(SnappyErrorCode.INVALID_CHUNK_SIZE, "chunkSize is too big or negative : " + chunkSize);
+ }
+
// extend the compressed data buffer size
if (compressed == null || chunkSize > compressed.length) {
- compressed = new byte[chunkSize];
+ // chunkSize exceeds limit
+ try {
+ compressed = new byte[chunkSize];
+ }
+ catch (java.lang.OutOfMemoryError e) {
+ throw new SnappyError(SnappyErrorCode.INVALID_CHUNK_SIZE, e.getMessage());
+ }
}
readBytes = 0;
while (readBytes < chunkSize) {
diff --git a/src/test/java/org/xerial/snappy/SnappyTest.java b/src/test/java/org/xerial/snappy/SnappyTest.java
index 18b39e9..730dae9 100755
--- a/src/test/java/org/xerial/snappy/SnappyTest.java
+++ b/src/test/java/org/xerial/snappy/SnappyTest.java
@@ -26,6 +26,7 @@ package org.xerial.snappy;
import static org.junit.Assert.*;
+import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
@@ -329,4 +330,50 @@ public class SnappyTest
_logger.debug(e);
}
}
+
+ /*
+ Tests happy cases for SnappyInputStream.read method
+ - {0}
+ */
+ @Test
+ public void isValidChunkLengthForSnappyInputStreamIn()
+ throws Exception {
+ byte[] data = {0};
+ SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));
+ byte[] out = new byte[50];
+ in.read(out);
+ }
+
+ /*
+ Tests sad cases for SnappyInputStream.read method
+ - Expects a java.lang.NegativeArraySizeException catched into a SnappyError
+ - {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff}
+ */
+ @Test(expected = SnappyError.class)
+ public void isInvalidChunkLengthForSnappyInputStreamInNegative()
+ throws Exception {
+ byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff};
+ SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));
+ byte[] out = new byte[50];
+ in.read(out);
+ }
+
+ /*
+ Tests sad cases for SnappyInputStream.read method
+ - Expects a java.lang.OutOfMemoryError
+ - {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff}
+ */
+ @Test(expected = SnappyError.class)
+ public void isInvalidChunkLengthForSnappyInputStreamOutOfMemory()
+ throws Exception {
+ byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0, (byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff};
+ SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));
+ byte[] out = new byte[50];
+ try {
+ in.read(out);
+ } catch (Exception ignored) {
+ // Exception here will be catched
+ // But OutOfMemoryError will not be caught, and will still be thrown
+ }
+ }
}
--
2.33.0

9
snappy-java.spec
View File

@ -1,7 +1,7 @@
%global debug_package %nil
Name: snappy-java
Version: 1.1.2.4
Release: 1
Release: 2
Summary: Fast compressor/decompresser
License: ASL 2.0
URL: http://xerial.org/snappy-java/
@ -9,6 +9,8 @@ Source0: https://github.com/xerial/snappy-java/archive/%{version}.ta
Source1: https://repo1.maven.org/maven2/org/xerial/snappy/%{name}/%{version}/%{name}-%{version}.pom
Patch0: snappy-java-1.1.2-build.patch
Patch1: snappy-java-1.1.2.4-lsnappy.patch
Patch2: CVE-2023-34455.patch
Patch3: CVE-2023-34454.patch
BuildRequires: make gcc-c++ libstdc++-static snappy-devel
BuildRequires: maven-local mvn(com.sun:tools) mvn(org.apache.felix:maven-bundle-plugin)
@ -38,6 +40,8 @@ find -name "*.a" -print -delete
find -name "*.h" -print -delete
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
cp %{SOURCE1} pom.xml
%pom_change_dep org.osgi: org.apache.felix::1.4.0
%pom_xpath_remove "pom:dependency[pom:scope = 'test']"
@ -119,5 +123,8 @@ export CXXFLAGS
%license LICENSE NOTICE
%changelog
* Mon Jul 03 2023 wangkai <13474090681@163.com> - 1.1.2.4-2
- Fix CVE-2023-34455 and CVE-2023-34454
* Tue Jul 28 2020 leiju <leiju4@huawei.com> - 1.1.2.4-1
- Package init