From 0d3eacb6855069da2818c9173c643fae219d59da Mon Sep 17 00:00:00 2001 From: sxt1001 Date: Tue, 28 Mar 2023 16:42:54 +0800 Subject: [PATCH] fix CVE-2020-12762 (cherry picked from commit 6110926dc24d8dd5b97b96bebfaf53e28ad27d79) --- backport-CVE-2020-12762.patch | 66 +++++++++++++++++++++++++++++++++++ libfastjson.spec | 7 +++- 2 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2020-12762.patch diff --git a/backport-CVE-2020-12762.patch b/backport-CVE-2020-12762.patch new file mode 100644 index 0000000..e4922cd --- /dev/null +++ b/backport-CVE-2020-12762.patch @@ -0,0 +1,66 @@ +From f51fcd59a8bbeb60eaf8ae0e398556be2fa3317a Mon Sep 17 00:00:00 2001 +From: Wang Haitao +Date: Tue, 14 Mar 2023 22:25:54 +0800 +Subject: [PATCH] Fix CVE-2020-12762 + +reference: https://github.com/json-c/json-c/pull/592/files + +I reproduce this CVE using the code from https://github.com/json-c/json-c/pull/592 + +And it fix it and no more segmentation fault +--- + printbuf.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/printbuf.c b/printbuf.c +index e9cde11..b02a363 100644 +--- a/printbuf.c ++++ b/printbuf.c +@@ -13,6 +13,7 @@ + + #include "config.h" + ++#include + #include + #include + #include +@@ -68,9 +69,16 @@ static int printbuf_extend(struct printbuf *p, int min_size) + if (p->size >= min_size) + return 0; + +- new_size = p->size * 2; +- if (new_size < min_size + 8) +- new_size = min_size + 8; ++ /* Prevent signed integer overflows with large buffers. */ ++ if (min_size > INT_MAX - 8) ++ return -1; ++ if (p->size > INT_MAX / 2) ++ new_size = min_size + 8; ++ else { ++ new_size = p->size * 2; ++ if (new_size < min_size + 8) ++ new_size = min_size + 8; ++ } + #ifdef PRINTBUF_DEBUG + MC_DEBUG("printbuf_memappend: realloc " + "bpos=%d min_size=%d old_size=%d new_size=%d\n", +@@ -85,6 +93,9 @@ static int printbuf_extend(struct printbuf *p, int min_size) + + int printbuf_memappend(struct printbuf *p, const char *buf, int size) + { ++ /* Prevent signed integer overflows with large buffers. */ ++ if (size > INT_MAX - p->bpos - 1) ++ return -1; + if (p->size <= p->bpos + size + 1) { + if (printbuf_extend(p, p->bpos + size + 1) < 0) + return -1; +@@ -136,6 +147,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len) + + if (offset == -1) + offset = pb->bpos; ++ /* Prevent signed integer overflows with large buffers. */ ++ if (len > INT_MAX - offset) ++ return -1; + size_needed = offset + len; + if (pb->size < size_needed) + { diff --git a/libfastjson.spec b/libfastjson.spec index 759ad6a..3042174 100644 --- a/libfastjson.spec +++ b/libfastjson.spec @@ -1,11 +1,13 @@ Name: libfastjson Version: 0.99.9 -Release: 2 +Release: 3 Summary: JSON-C - A JSON implementation in C License: MIT URL: https://github.com/rsyslog/libfastjson Source0: http://download.rsyslog.com/%{name}/%{name}-%{version}.tar.gz +Patch1: backport-CVE-2020-12762.patch + BuildRequires: autoconf automake libtool %description @@ -56,6 +58,9 @@ make V=1 check %{_libdir}/pkgconfig/libfastjson.pc %changelog +* Tue Mar 28 2023 shixuantong - 0.99.9-3 +- fix CVE-2020-12762 + * Thu Sep 8 2022 panxiaohe - 0.99.9-2 - fix obsoletes in spec -- Gitee