!2 Fix CVE-2023-34455 and CVE-2023-34454

From: @wk333 Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen
2023-07-03 09:58:35 +00:00 · 2023-07-03 09:58:35 +00:00 · 0fce04d986
commit 0fce04d986
parent 445304dcdd 3317f70664
3 changed files with 335 additions and 1 deletions
--- a/CVE-2023-34454.patch
+++ b/CVE-2023-34454.patch
@ -0,0 +1,205 @@
 From d0042551e4a3509a725038eb9b2ad1f683674d94 Mon Sep 17 00:00:00 2001
 From: aidanchiu1112 <108113174+aidanchiu1112@users.noreply.github.com>
 Date: Wed, 14 Jun 2023 11:06:30 -0700
 Subject: [PATCH] Merge pull request from GHSA-fjpj-2g6w-x25r
 * Fixed integer overflow by checking if bytesize is bigger than input length, then throwing exception
 * Fixed integer overflow by checking if bytesize is bigger than input length, then throwing exception
 * Fixed integer overflow by checking if bytesize is bigger than input length, then throwing exception
 * improved error messages by adding new error enum INPUT_TOO_LARGE in SnappyErrorCode.java, and added happy and sad cases in SnappyTest.java
 * fixed mispelling: validArrayInputLength --> isInvalidArrayInputLength
 * switched SnappyError into ILLEGAL_ARGUMENT in SnappyErrorCode.java and Snappy.java and fixed a typo in error comment
 * Fix buffer size boundary tests
 * Remove negative array size tests
 * updated comments for unit test
 Origin: https://github.com/xerial/snappy-java/commit/d0042551e4a3509a725038eb9b2ad1f683674d94
 ---
 src/main/java/org/xerial/snappy/Snappy.java   | 36 ++++++++--
 .../org/xerial/snappy/SnappyErrorCode.java    |  4 +-
 .../java/org/xerial/snappy/SnappyTest.java    | 65 +++++++++++++++++++
 3 files changed, 98 insertions(+), 7 deletions(-)
 diff --git a/src/main/java/org/xerial/snappy/Snappy.java b/src/main/java/org/xerial/snappy/Snappy.java
 index dc81f7c..762be59 100755
 --- a/src/main/java/org/xerial/snappy/Snappy.java
 +++ b/src/main/java/org/xerial/snappy/Snappy.java
@@ -163,7 +163,11 @@ public class Snappy
     public static byte[] compress(char[] input)
             throws IOException
     {
 -        return rawCompress(input, input.length * 2); // char uses 2 bytes
 +        int byteSize = input.length * 2;
 +        if (byteSize < input.length) {
 +            throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
 +        }
 +        return rawCompress(input, byteSize); // char uses 2 bytes
     }
     /**
@@ -175,7 +179,11 @@ public class Snappy
     public static byte[] compress(double[] input)
             throws IOException
     {
 -        return rawCompress(input, input.length * 8); // double uses 8 bytes
 +        int byteSize = input.length * 8;
 +        if (byteSize < input.length) {
 +            throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
 +        }
 +        return rawCompress(input, byteSize); // double uses 8 bytes
     }
     /**
@@ -187,7 +195,11 @@ public class Snappy
     public static byte[] compress(float[] input)
             throws IOException
     {
 -        return rawCompress(input, input.length * 4); // float uses 4 bytes
 +        int byteSize = input.length * 4;
 +        if (byteSize < input.length) {
 +            throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
 +        }
 +        return rawCompress(input, byteSize); // float uses 4 bytes
     }
     /**
@@ -199,7 +211,11 @@ public class Snappy
     public static byte[] compress(int[] input)
             throws IOException
     {
 -        return rawCompress(input, input.length * 4); // int uses 4 bytes
 +        int byteSize = input.length * 4;
 +        if (byteSize < input.length) {
 +            throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
 +        }
 +        return rawCompress(input, byteSize); // int uses 4 bytes
     }
     /**
@@ -211,7 +227,11 @@ public class Snappy
     public static byte[] compress(long[] input)
             throws IOException
     {
 -        return rawCompress(input, input.length * 8); // long uses 8 bytes
 +        int byteSize = input.length * 8;
 +        if (byteSize < input.length) {
 +            throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
 +        }
 +        return rawCompress(input, byteSize); // long uses 8 bytes
     }
     /**
@@ -223,7 +243,11 @@ public class Snappy
     public static byte[] compress(short[] input)
             throws IOException
     {
 -        return rawCompress(input, input.length * 2); // short uses 2 bytes
 +        int byteSize = input.length * 2;
 +        if (byteSize < input.length) {
 +            throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
 +        }
 +        return rawCompress(input, byteSize); // short uses 2 bytes
     }
     /**
 diff --git a/src/main/java/org/xerial/snappy/SnappyErrorCode.java b/src/main/java/org/xerial/snappy/SnappyErrorCode.java
 index 4325b02..661ffd8 100755
 --- a/src/main/java/org/xerial/snappy/SnappyErrorCode.java
 +++ b/src/main/java/org/xerial/snappy/SnappyErrorCode.java
@@ -41,7 +41,9 @@ public enum SnappyErrorCode
     FAILED_TO_UNCOMPRESS(5),
     EMPTY_INPUT(6),
     INCOMPATIBLE_VERSION(7),
 -    INVALID_CHUNK_SIZE(8);
 +    INVALID_CHUNK_SIZE(8),
 +    UNSUPPORTED_PLATFORM(9),
 +    TOO_LARGE_INPUT(10);
     public final int id;
 diff --git a/src/test/java/org/xerial/snappy/SnappyTest.java b/src/test/java/org/xerial/snappy/SnappyTest.java
 index 730dae9..4a863e0 100755
 --- a/src/test/java/org/xerial/snappy/SnappyTest.java
 +++ b/src/test/java/org/xerial/snappy/SnappyTest.java
@@ -376,4 +376,69 @@ public class SnappyTest
             // But OutOfMemoryError will not be caught, and will still be thrown
         }
     }
 +
 +    /*
 +    Tests happy cases for BitShuffle.shuffle method
 +    - double: 0, 10
 +    - float: 0, 10
 +    - int: 0, 10
 +    - long: 0, 10
 +    - short: 0, 10
 +     */
 +    @Test
 +    public void isValidArrayInputLength()
 +            throws Exception {
 +        byte[] a = Snappy.compress(new char[0]);
 +        byte[] b = Snappy.compress(new double[0]);
 +        byte[] c = Snappy.compress(new float[0]);
 +        byte[] d = Snappy.compress(new int[0]);
 +        byte[] e = Snappy.compress(new long[0]);
 +        byte[] f = Snappy.compress(new short[0]);
 +        byte[] g = Snappy.compress(new char[10]);
 +        byte[] h = Snappy.compress(new double[10]);
 +        byte[] i = Snappy.compress(new float[10]);
 +        byte[] j = Snappy.compress(new int[10]);
 +        byte[] k = Snappy.compress(new long[10]);
 +        byte[] l = Snappy.compress(new short[10]);
 +    }
 +
 +    /*
 +    Tests sad cases for Snappy.compress
 +    - Allocate a buffer whose byte size will be a bit larger than Integer.MAX_VALUE
 +    - char
 +    - double
 +    - float
 +    - int
 +    - long
 +    - short
 +     */
 +    @Test(expected = SnappyError.class)
 +    public void isTooLargeDoubleArrayInputLength() throws Exception {
 +        Snappy.compress(new double[Integer.MAX_VALUE / 8 + 1]);
 +    }
 +
 +    @Test(expected = SnappyError.class)
 +    public void isTooLargeCharArrayInputLength() throws Exception {
 +        Snappy.compress(new char[Integer.MAX_VALUE / 2 + 1]);
 +    }
 +
 +    @Test(expected = SnappyError.class)
 +    public void isTooLargeFloatArrayInputLength() throws Exception {
 +        Snappy.compress(new float[Integer.MAX_VALUE / 4 + 1]);
 +    }
 +
 +    @Test(expected = SnappyError.class)
 +    public void isTooLargeIntArrayInputLength() throws Exception {
 +        Snappy.compress(new int[Integer.MAX_VALUE / 4 + 1]);
 +    }
 +
 +    @Test(expected = SnappyError.class)
 +    public void isTooLargeLongArrayInputLength() throws Exception {
 +        Snappy.compress(new long[Integer.MAX_VALUE / 8 + 1]);
 +    }
 +
 +    @Test(expected = SnappyError.class)
 +    public void isTooLargeShortArrayInputLength() throws Exception {
 +        Snappy.compress(new short[Integer.MAX_VALUE / 2 + 1]);
 +    }
 }
 -- 
 2.33.0
--- a/CVE-2023-34455.patch
+++ b/CVE-2023-34455.patch
@ -0,0 +1,122 @@
 From 3bf67857fcf70d9eea56eed4af7c925671e8eaea Mon Sep 17 00:00:00 2001
 From: aidanchiu1112 <108113174+aidanchiu1112@users.noreply.github.com>
 Date: Wed, 14 Jun 2023 10:49:52 -0700
 Subject: [PATCH] Merge pull request from GHSA-qcwq-55hx-v3vh
 * asserted chunksize should be in the bounds of 0-java.outofmmeoryexception
 * asserted chunksize should be in the bounds of 0-java.outofmmeoryexception
 * https://github.com/xerial/snappy-java-ghsa-qcwq-55hx-v3vh/pull/2
 * advisory-fix-3
 * added and changed method name for happy and sad cases in SnappyTest.java
 * removed expected error for happy case in unit testing
 * added another unit test case in SnappyTest.java and fixed comments in SnappyInputStream.java
 * switched SnappyError to INVALID_CHUNK_SIZE
 * Updated unit tests
 Origin: https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea
 ---
 .../org/xerial/snappy/SnappyInputStream.java  | 13 ++++-
 .../java/org/xerial/snappy/SnappyTest.java    | 47 +++++++++++++++++++
 2 files changed, 59 insertions(+), 1 deletion(-)
 diff --git a/src/main/java/org/xerial/snappy/SnappyInputStream.java b/src/main/java/org/xerial/snappy/SnappyInputStream.java
 index 19a68c6..f499c66 100755
 --- a/src/main/java/org/xerial/snappy/SnappyInputStream.java
 +++ b/src/main/java/org/xerial/snappy/SnappyInputStream.java
@@ -417,9 +417,20 @@ public class SnappyInputStream
             }
         }
 +        // chunkSize is negative
 +        if (chunkSize < 0) {
 +            throw new SnappyError(SnappyErrorCode.INVALID_CHUNK_SIZE, "chunkSize is too big or negative : " + chunkSize);
 +        }
 +
         // extend the compressed data buffer size
         if (compressed == null || chunkSize > compressed.length) {
 -            compressed = new byte[chunkSize];
 +            // chunkSize exceeds limit
 +            try {
 +                compressed = new byte[chunkSize];
 +            }
 +            catch (java.lang.OutOfMemoryError e) {
 +                throw new SnappyError(SnappyErrorCode.INVALID_CHUNK_SIZE, e.getMessage());
 +            }
         }
         readBytes = 0;
         while (readBytes < chunkSize) {
 diff --git a/src/test/java/org/xerial/snappy/SnappyTest.java b/src/test/java/org/xerial/snappy/SnappyTest.java
 index 18b39e9..730dae9 100755
 --- a/src/test/java/org/xerial/snappy/SnappyTest.java
 +++ b/src/test/java/org/xerial/snappy/SnappyTest.java
@@ -26,6 +26,7 @@ package org.xerial.snappy;
 import static org.junit.Assert.*;
 +import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.nio.ByteBuffer;
@@ -329,4 +330,50 @@ public class SnappyTest
             _logger.debug(e);
         }
     }
 +
 +    /*
 +    Tests happy cases for SnappyInputStream.read method
 +    - {0}
 +     */
 +    @Test
 +    public void isValidChunkLengthForSnappyInputStreamIn()
 +            throws Exception {
 +        byte[] data = {0};
 +        SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));
 +        byte[] out = new byte[50];
 +        in.read(out);
 +    }
 +
 +    /*
 +    Tests sad cases for SnappyInputStream.read method
 +    - Expects a java.lang.NegativeArraySizeException catched into a SnappyError
 +    - {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff}
 +     */
 +    @Test(expected = SnappyError.class)
 +    public void isInvalidChunkLengthForSnappyInputStreamInNegative()
 +            throws Exception {
 +        byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff};
 +        SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));
 +        byte[] out = new byte[50];
 +        in.read(out);
 +    }
 +
 +    /*
 +    Tests sad cases for SnappyInputStream.read method
 +    - Expects a java.lang.OutOfMemoryError
 +    - {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff}
 +     */
 +    @Test(expected = SnappyError.class)
 +    public void isInvalidChunkLengthForSnappyInputStreamOutOfMemory()
 +            throws Exception {
 +        byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0, (byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff};
 +        SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));
 +        byte[] out = new byte[50];
 +        try {
 +            in.read(out);
 +        } catch (Exception ignored) {
 +            // Exception here will be catched
 +            // But OutOfMemoryError will not be caught, and will still be thrown
 +        }
 +    }
 }
 -- 
 2.33.0
--- a/snappy-java.spec
+++ b/snappy-java.spec
@ -1,7 +1,7 @@
 %global debug_package %nil
 Name:                snappy-java
 Version:             1.1.2.4
-Release:             1
+Release:             2
 Summary:             Fast compressor/decompresser
 License:             ASL 2.0
 URL:                 http://xerial.org/snappy-java/
@ -9,6 +9,8 @@ Source0:             https://github.com/xerial/snappy-java/archive/%{version}.ta
 Source1:             https://repo1.maven.org/maven2/org/xerial/snappy/%{name}/%{version}/%{name}-%{version}.pom
 Patch0:              snappy-java-1.1.2-build.patch
 Patch1:              snappy-java-1.1.2.4-lsnappy.patch
 Patch2:              CVE-2023-34455.patch
 Patch3:              CVE-2023-34454.patch
 BuildRequires:       make gcc-c++ libstdc++-static snappy-devel
 BuildRequires:       maven-local mvn(com.sun:tools) mvn(org.apache.felix:maven-bundle-plugin)
@ -38,6 +40,8 @@ find -name "*.a" -print -delete
 find -name "*.h" -print -delete
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 cp %{SOURCE1} pom.xml
 %pom_change_dep org.osgi: org.apache.felix::1.4.0
 %pom_xpath_remove "pom:dependency[pom:scope = 'test']"
@ -119,5 +123,8 @@ export CXXFLAGS
 %license LICENSE NOTICE
 %changelog
 * Mon Jul 03 2023 wangkai <13474090681@163.com> - 1.1.2.4-2
 - Fix CVE-2023-34455 and CVE-2023-34454
 * Tue Jul 28 2020 leiju <leiju4@huawei.com> - 1.1.2.4-1
 - Package init