From 6c1dc7899f47e86cc930a8c452689a7e05493a17 Mon Sep 17 00:00:00 2001
From: hanzj0122_admin <961123325@qq.com>
Date: Tue, 20 Oct 2020 11:40:27 +0800
Subject: [PATCH] fix CVE-2020-26154

---
 Fix-buffer-overflow-when-PAC-is-enabled.patch | 96 +++++++++++++++++++
 libproxy.spec                                 |  9 +-
 2 files changed, 104 insertions(+), 1 deletion(-)
 create mode 100644 Fix-buffer-overflow-when-PAC-is-enabled.patch

diff --git a/Fix-buffer-overflow-when-PAC-is-enabled.patch b/Fix-buffer-overflow-when-PAC-is-enabled.patch
new file mode 100644
index 0000000..43c5954
--- /dev/null
+++ b/Fix-buffer-overflow-when-PAC-is-enabled.patch
@@ -0,0 +1,96 @@
+From 75750b01d846fde77451fad4000bf0ca7caec8a7 Mon Sep 17 00:00:00 2001
+From: Fei Li <lifeibiren@gmail.com>
+Date: Fri, 17 Jul 2020 02:18:37 +0800
+Subject: [PATCH] Fix buffer overflow when PAC is enabled
+
+The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned
+out to be the large PAC file (more than 102400 bytes) returned by a
+local proxy program with no content-length present.
+---
+ libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++-------------
+ 1 file changed, 31 insertions(+), 13 deletions(-)
+
+diff --git a/libproxy/url.cpp b/libproxy/url.cpp
+index b61a9bc..230d0ee 100644
+--- a/libproxy/url.cpp
++++ b/libproxy/url.cpp
+@@ -52,7 +52,7 @@ using namespace std;
+ #define PAC_MIME_TYPE_FB "text/plain"
+ 
+ // This is the maximum pac size (to avoid memory attacks)
+-#define PAC_MAX_SIZE 102400
++#define PAC_MAX_SIZE 0x800000
+ // This is the default block size to use when receiving via HTTP
+ #define PAC_HTTP_BLOCK_SIZE 512
+ 
+@@ -476,15 +476,13 @@ char* url::get_pac() {
+ 		}
+ 
+ 		// Get content
+-		unsigned int recvd = 0;
+-		buffer = new char[PAC_MAX_SIZE];
+-		memset(buffer, 0, PAC_MAX_SIZE);
++		std::vector<char> dynamic_buffer;
+ 		do {
+ 			unsigned int chunk_length;
+ 
+ 			if (chunked) {
+ 				// Discard the empty line if we received a previous chunk
+-				if (recvd > 0) recvline(sock);
++				if (!dynamic_buffer.empty()) recvline(sock);
+ 
+ 				// Get the chunk-length line as an integer
+ 				if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break;
+@@ -496,21 +494,41 @@ char* url::get_pac() {
+ 
+ 			if (content_length >= PAC_MAX_SIZE) break;
+ 
+-			while (content_length == 0 || recvd != content_length) {
+-				int r = recv(sock, buffer + recvd,
+-				             content_length == 0 ? PAC_HTTP_BLOCK_SIZE
+-				                                 : content_length - recvd, 0);
++			while (content_length == 0 || dynamic_buffer.size() != content_length) {
++				// Calculate length to recv
++				unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE;
++				if (content_length > 0)
++					length_to_read = content_length - dynamic_buffer.size();
++
++				// Prepare buffer
++				dynamic_buffer.resize(dynamic_buffer.size() + length_to_read);
++
++				int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0);
++
++				// Shrink buffer to fit
++				if (r >= 0)
++					dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r);
++
++				// PAC size too large, discard
++				if (dynamic_buffer.size() >= PAC_MAX_SIZE) {
++					chunked = false;
++					dynamic_buffer.clear();
++					break;
++				}
++
+ 				if (r <= 0) {
+ 					chunked = false;
+ 					break;
+ 				}
+-				recvd += r;
+ 			}
+ 		} while (chunked);
+ 
+-		if (content_length != 0 && string(buffer).size() != content_length) {
+-			delete[] buffer;
+-			buffer = NULL;
++		if (content_length == 0 || content_length == dynamic_buffer.size()) {
++			buffer = new char[dynamic_buffer.size() + 1];
++			if (!dynamic_buffer.empty()) {
++				memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size());
++			}
++			buffer[dynamic_buffer.size()] = '\0';
+ 		}
+ 	}
+ 
+-- 
+1.8.3.1
+
diff --git a/libproxy.spec b/libproxy.spec
index b0964b7..c61af55 100644
--- a/libproxy.spec
+++ b/libproxy.spec
@@ -1,6 +1,6 @@
 Name:           libproxy
 Version:        0.4.15
-Release:        14
+Release:        15
 Summary:        Libproxy is a library that provides automatic proxy configuration management
 
 License:        LGPLv2+
@@ -14,6 +14,7 @@ Patch1:         libproxy-0.4.11-crash.patch
 # Patch 2 and 3 are backported from upstream commuity
 Patch2:         libproxy-0.4.15-python3738.patch
 Patch3:         libproxy-0.4.15-mozjs52.patch
+Patch4:         Fix-buffer-overflow-when-PAC-is-enabled.patch 
 
 BuildRequires:  cmake >= 2.6.0 gcc-c++
 BuildRequires:  pkgconfig(gio-2.0) >= 2.26 pkgconfig(mozjs-52) pkgconfig(libnm) python2-devel python3-devel
@@ -122,6 +123,12 @@ make test
 %{_mandir}/man1/proxy.1*
 
 %changelog
+* Tue Oct 20 hanzhijun <hanzhijun1@huawei.com> - 0.4.15-15
+- Type:cves
+- Id:NA
+- SUG:NA
+- DESC:fix CVE-2020-26154
+
 * Thu Aug 6 2020 zengwefeng <zwfeng@huawei.com> - 0.4.15-14
 - Type:bugfix
 - Id:NA
-- 
Gitee