Fix CVE-2023-34455 and CVE-2023-34454

2023-07-03 16:31:17 +08:00 · 2023-07-03 16:31:17 +08:00 · 3317f70664
commit 3317f70664
parent 445304dcdd
3 changed files with 335 additions and 1 deletions
--- a/CVE-2023-34454.patch
+++ b/CVE-2023-34454.patch
@ -0,0 +1,205 @@
+From d0042551e4a3509a725038eb9b2ad1f683674d94 Mon Sep 17 00:00:00 2001
+From: aidanchiu1112 <108113174+aidanchiu1112@users.noreply.github.com>
+Date: Wed, 14 Jun 2023 11:06:30 -0700
+Subject: [PATCH] Merge pull request from GHSA-fjpj-2g6w-x25r
+
+* Fixed integer overflow by checking if bytesize is bigger than input length, then throwing exception
+
+* Fixed integer overflow by checking if bytesize is bigger than input length, then throwing exception
+
+* Fixed integer overflow by checking if bytesize is bigger than input length, then throwing exception
+
+* improved error messages by adding new error enum INPUT_TOO_LARGE in SnappyErrorCode.java, and added happy and sad cases in SnappyTest.java
+
+* fixed mispelling: validArrayInputLength --> isInvalidArrayInputLength
+
+* switched SnappyError into ILLEGAL_ARGUMENT in SnappyErrorCode.java and Snappy.java and fixed a typo in error comment
+
+* Fix buffer size boundary tests
+
+* Remove negative array size tests
+
+* updated comments for unit test
+
+Origin: https://github.com/xerial/snappy-java/commit/d0042551e4a3509a725038eb9b2ad1f683674d94
+
+---
+ src/main/java/org/xerial/snappy/Snappy.java   | 36 ++++++++--
+ .../org/xerial/snappy/SnappyErrorCode.java    |  4 +-
+ .../java/org/xerial/snappy/SnappyTest.java    | 65 +++++++++++++++++++
+ 3 files changed, 98 insertions(+), 7 deletions(-)
+
+diff --git a/src/main/java/org/xerial/snappy/Snappy.java b/src/main/java/org/xerial/snappy/Snappy.java
+index dc81f7c..762be59 100755
+--- a/src/main/java/org/xerial/snappy/Snappy.java
+++ b/src/main/java/org/xerial/snappy/Snappy.java
+@@ -163,7 +163,11 @@ public class Snappy
+     public static byte[] compress(char[] input)
+             throws IOException
+     {
+-        return rawCompress(input, input.length * 2); // char uses 2 bytes
+        int byteSize = input.length * 2;
+        if (byteSize < input.length) {
+            throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
+        }
+        return rawCompress(input, byteSize); // char uses 2 bytes
+     }
+ 
+     /**
+@@ -175,7 +179,11 @@ public class Snappy
+     public static byte[] compress(double[] input)
+             throws IOException
+     {
+-        return rawCompress(input, input.length * 8); // double uses 8 bytes
+        int byteSize = input.length * 8;
+        if (byteSize < input.length) {
+            throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
+        }
+        return rawCompress(input, byteSize); // double uses 8 bytes
+     }
+ 
+     /**
+@@ -187,7 +195,11 @@ public class Snappy
+     public static byte[] compress(float[] input)
+             throws IOException
+     {
+-        return rawCompress(input, input.length * 4); // float uses 4 bytes
+        int byteSize = input.length * 4;
+        if (byteSize < input.length) {
+            throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
+        }
+        return rawCompress(input, byteSize); // float uses 4 bytes
+     }
+ 
+     /**
+@@ -199,7 +211,11 @@ public class Snappy
+     public static byte[] compress(int[] input)
+             throws IOException
+     {
+-        return rawCompress(input, input.length * 4); // int uses 4 bytes
+        int byteSize = input.length * 4;
+        if (byteSize < input.length) {
+            throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
+        }
+        return rawCompress(input, byteSize); // int uses 4 bytes
+     }
+ 
+     /**
+@@ -211,7 +227,11 @@ public class Snappy
+     public static byte[] compress(long[] input)
+             throws IOException
+     {
+-        return rawCompress(input, input.length * 8); // long uses 8 bytes
+        int byteSize = input.length * 8;
+        if (byteSize < input.length) {
+            throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
+        }
+        return rawCompress(input, byteSize); // long uses 8 bytes
+     }
+ 
+     /**
+@@ -223,7 +243,11 @@ public class Snappy
+     public static byte[] compress(short[] input)
+             throws IOException
+     {
+-        return rawCompress(input, input.length * 2); // short uses 2 bytes
+        int byteSize = input.length * 2;
+        if (byteSize < input.length) {
+            throw new SnappyError(SnappyErrorCode.TOO_LARGE_INPUT, "input array size is too large: " + input.length);
+        }
+        return rawCompress(input, byteSize); // short uses 2 bytes
+     }
+ 
+     /**
+diff --git a/src/main/java/org/xerial/snappy/SnappyErrorCode.java b/src/main/java/org/xerial/snappy/SnappyErrorCode.java
+index 4325b02..661ffd8 100755
+--- a/src/main/java/org/xerial/snappy/SnappyErrorCode.java
+++ b/src/main/java/org/xerial/snappy/SnappyErrorCode.java
+@@ -41,7 +41,9 @@ public enum SnappyErrorCode
+     FAILED_TO_UNCOMPRESS(5),
+     EMPTY_INPUT(6),
+     INCOMPATIBLE_VERSION(7),
+-    INVALID_CHUNK_SIZE(8);
+    INVALID_CHUNK_SIZE(8),
+    UNSUPPORTED_PLATFORM(9),
+    TOO_LARGE_INPUT(10);
+ 
+     public final int id;
+ 
+diff --git a/src/test/java/org/xerial/snappy/SnappyTest.java b/src/test/java/org/xerial/snappy/SnappyTest.java
+index 730dae9..4a863e0 100755
+--- a/src/test/java/org/xerial/snappy/SnappyTest.java
+++ b/src/test/java/org/xerial/snappy/SnappyTest.java
+@@ -376,4 +376,69 @@ public class SnappyTest
+             // But OutOfMemoryError will not be caught, and will still be thrown
+         }
+     }
+
+    /*
+    Tests happy cases for BitShuffle.shuffle method
+    - double: 0, 10
+    - float: 0, 10
+    - int: 0, 10
+    - long: 0, 10
+    - short: 0, 10
+     */
+    @Test
+    public void isValidArrayInputLength()
+            throws Exception {
+        byte[] a = Snappy.compress(new char[0]);
+        byte[] b = Snappy.compress(new double[0]);
+        byte[] c = Snappy.compress(new float[0]);
+        byte[] d = Snappy.compress(new int[0]);
+        byte[] e = Snappy.compress(new long[0]);
+        byte[] f = Snappy.compress(new short[0]);
+        byte[] g = Snappy.compress(new char[10]);
+        byte[] h = Snappy.compress(new double[10]);
+        byte[] i = Snappy.compress(new float[10]);
+        byte[] j = Snappy.compress(new int[10]);
+        byte[] k = Snappy.compress(new long[10]);
+        byte[] l = Snappy.compress(new short[10]);
+    }
+
+    /*
+    Tests sad cases for Snappy.compress
+    - Allocate a buffer whose byte size will be a bit larger than Integer.MAX_VALUE
+    - char
+    - double
+    - float
+    - int
+    - long
+    - short
+     */
+    @Test(expected = SnappyError.class)
+    public void isTooLargeDoubleArrayInputLength() throws Exception {
+        Snappy.compress(new double[Integer.MAX_VALUE / 8 + 1]);
+    }
+
+    @Test(expected = SnappyError.class)
+    public void isTooLargeCharArrayInputLength() throws Exception {
+        Snappy.compress(new char[Integer.MAX_VALUE / 2 + 1]);
+    }
+
+    @Test(expected = SnappyError.class)
+    public void isTooLargeFloatArrayInputLength() throws Exception {
+        Snappy.compress(new float[Integer.MAX_VALUE / 4 + 1]);
+    }
+
+    @Test(expected = SnappyError.class)
+    public void isTooLargeIntArrayInputLength() throws Exception {
+        Snappy.compress(new int[Integer.MAX_VALUE / 4 + 1]);
+    }
+
+    @Test(expected = SnappyError.class)
+    public void isTooLargeLongArrayInputLength() throws Exception {
+        Snappy.compress(new long[Integer.MAX_VALUE / 8 + 1]);
+    }
+
+    @Test(expected = SnappyError.class)
+    public void isTooLargeShortArrayInputLength() throws Exception {
+        Snappy.compress(new short[Integer.MAX_VALUE / 2 + 1]);
+    }
+ }
+-- 
+2.33.0
+
--- a/CVE-2023-34455.patch
+++ b/CVE-2023-34455.patch
@ -0,0 +1,122 @@
+From 3bf67857fcf70d9eea56eed4af7c925671e8eaea Mon Sep 17 00:00:00 2001
+From: aidanchiu1112 <108113174+aidanchiu1112@users.noreply.github.com>
+Date: Wed, 14 Jun 2023 10:49:52 -0700
+Subject: [PATCH] Merge pull request from GHSA-qcwq-55hx-v3vh
+
+* asserted chunksize should be in the bounds of 0-java.outofmmeoryexception
+
+* asserted chunksize should be in the bounds of 0-java.outofmmeoryexception
+
+* https://github.com/xerial/snappy-java-ghsa-qcwq-55hx-v3vh/pull/2
+
+* advisory-fix-3
+
+* added and changed method name for happy and sad cases in SnappyTest.java
+
+* removed expected error for happy case in unit testing
+
+* added another unit test case in SnappyTest.java and fixed comments in SnappyInputStream.java
+
+* switched SnappyError to INVALID_CHUNK_SIZE
+
+* Updated unit tests
+
+Origin: https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea
+
+---
+ .../org/xerial/snappy/SnappyInputStream.java  | 13 ++++-
+ .../java/org/xerial/snappy/SnappyTest.java    | 47 +++++++++++++++++++
+ 2 files changed, 59 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/java/org/xerial/snappy/SnappyInputStream.java b/src/main/java/org/xerial/snappy/SnappyInputStream.java
+index 19a68c6..f499c66 100755
+--- a/src/main/java/org/xerial/snappy/SnappyInputStream.java
+++ b/src/main/java/org/xerial/snappy/SnappyInputStream.java
+@@ -417,9 +417,20 @@ public class SnappyInputStream
+             }
+         }
+ 
+        // chunkSize is negative
+        if (chunkSize < 0) {
+            throw new SnappyError(SnappyErrorCode.INVALID_CHUNK_SIZE, "chunkSize is too big or negative : " + chunkSize);
+        }
+
+         // extend the compressed data buffer size
+         if (compressed == null || chunkSize > compressed.length) {
+-            compressed = new byte[chunkSize];
+            // chunkSize exceeds limit
+            try {
+                compressed = new byte[chunkSize];
+            }
+            catch (java.lang.OutOfMemoryError e) {
+                throw new SnappyError(SnappyErrorCode.INVALID_CHUNK_SIZE, e.getMessage());
+            }
+         }
+         readBytes = 0;
+         while (readBytes < chunkSize) {
+diff --git a/src/test/java/org/xerial/snappy/SnappyTest.java b/src/test/java/org/xerial/snappy/SnappyTest.java
+index 18b39e9..730dae9 100755
+--- a/src/test/java/org/xerial/snappy/SnappyTest.java
+++ b/src/test/java/org/xerial/snappy/SnappyTest.java
+@@ -26,6 +26,7 @@ package org.xerial.snappy;
+ 
+ import static org.junit.Assert.*;
+ 
+import java.io.ByteArrayInputStream;
+ import java.io.IOException;
+ import java.nio.ByteBuffer;
+ 
+@@ -329,4 +330,50 @@ public class SnappyTest
+             _logger.debug(e);
+         }
+     }
+
+    /*
+    Tests happy cases for SnappyInputStream.read method
+    - {0}
+     */
+    @Test
+    public void isValidChunkLengthForSnappyInputStreamIn()
+            throws Exception {
+        byte[] data = {0};
+        SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));
+        byte[] out = new byte[50];
+        in.read(out);
+    }
+
+    /*
+    Tests sad cases for SnappyInputStream.read method
+    - Expects a java.lang.NegativeArraySizeException catched into a SnappyError
+    - {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff}
+     */
+    @Test(expected = SnappyError.class)
+    public void isInvalidChunkLengthForSnappyInputStreamInNegative()
+            throws Exception {
+        byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff};
+        SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));
+        byte[] out = new byte[50];
+        in.read(out);
+    }
+
+    /*
+    Tests sad cases for SnappyInputStream.read method
+    - Expects a java.lang.OutOfMemoryError
+    - {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff}
+     */
+    @Test(expected = SnappyError.class)
+    public void isInvalidChunkLengthForSnappyInputStreamOutOfMemory()
+            throws Exception {
+        byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0, (byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff};
+        SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));
+        byte[] out = new byte[50];
+        try {
+            in.read(out);
+        } catch (Exception ignored) {
+            // Exception here will be catched
+            // But OutOfMemoryError will not be caught, and will still be thrown
+        }
+    }
+ }
+-- 
+2.33.0
+
--- a/snappy-java.spec
+++ b/snappy-java.spec
@ -1,7 +1,7 @@
 %global debug_package %nil
 Name:                snappy-java
 Version:             1.1.2.4
-Release:             1
+Release:             2
 Summary:             Fast compressor/decompresser
 License:             ASL 2.0
 URL:                 http://xerial.org/snappy-java/
@ -9,6 +9,8 @@ Source0:             https://github.com/xerial/snappy-java/archive/%{version}.ta
 Source1:             https://repo1.maven.org/maven2/org/xerial/snappy/%{name}/%{version}/%{name}-%{version}.pom
 Patch0:              snappy-java-1.1.2-build.patch
 Patch1:              snappy-java-1.1.2.4-lsnappy.patch
+Patch2:              CVE-2023-34455.patch
+Patch3:              CVE-2023-34454.patch

 BuildRequires:       make gcc-c++ libstdc++-static snappy-devel
 BuildRequires:       maven-local mvn(com.sun:tools) mvn(org.apache.felix:maven-bundle-plugin)
@ -38,6 +40,8 @@ find -name "*.a" -print -delete
 find -name "*.h" -print -delete
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
 cp %{SOURCE1} pom.xml
 %pom_change_dep org.osgi: org.apache.felix::1.4.0
 %pom_xpath_remove "pom:dependency[pom:scope = 'test']"
@ -119,5 +123,8 @@ export CXXFLAGS
 %license LICENSE NOTICE

 %changelog
+* Mon Jul 03 2023 wangkai <13474090681@163.com> - 1.1.2.4-2
+- Fix CVE-2023-34455 and CVE-2023-34454
+
 * Tue Jul 28 2020 leiju <leiju4@huawei.com> - 1.1.2.4-1
 - Package init