helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2025-12-31 13:38:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

libcroco: Add fix for CVE-2020-12825

Browse Source 
Added refreshed patch for CVE issue CVE-2020-12825
Link: 203d62efef

Signed-off-by: Neetika.Singh <Neetika.Singh@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Neetika Singh 2021-03-28 18:44:21 +05:30 committed by Armin Kuster
parent 1f2070d492
commit 522603beb6
2 changed files with 212 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

190
meta/recipes-support/libcroco/libcroco/CVE-2020-12825.patch Normal file
View File

@ -0,0 +1,190 @@
From 203d62efefe6f79080863dda61593003b4c31f25 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@gnome.org>
Date: Thu, 13 Aug 2020 20:03:05 -0500
Subject: [PATCH] libcroco parser: limit recursion in block and any productions
If we don't have any limits, we can recurse forever and overflow the
stack.
This is for CVE-2020-12825: Stack overflow in cr_parser_parse_any_core
in cr-parser.c.
Bug: https://gitlab.gnome.org/Archive/libcroco/-/issues/8
Patch from https://gitlab.gnome.org/Archive/libcroco/-/merge_requests/5
CVE: CVE-2020-12825
Upstream Status: Backport [https://gitlab.com/inkscape/inkscape/-/commit/203d62efefe6f79080863dda61593003b4c31f25.patch]
---
src/cr-parser.c | 44 ++++++++++++++++++++-----------
1 file changed, 29 insertions(+), 15 deletions(-)
diff --git a/src/cr-parser.c b/src/cr-parser.c
index d85e71f0fc..cd7b6ebd4a 100644
--- a/src/cr-parser.c
+++ b/src/cr-parser.c
@@ -136,6 +136,8 @@ struct _CRParserPriv {
#define CHARS_TAB_SIZE 12
+#define RECURSIVE_CALLERS_LIMIT 100
+
/**
* IS_NUM:
*@a_char: the char to test.
@@ -343,9 +345,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this);
static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this);
-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this);
+static enum CRStatus cr_parser_parse_any_core (CRParser * a_this,
+ guint n_calls);
-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this);
+static enum CRStatus cr_parser_parse_block_core (CRParser * a_this,
+ guint n_calls);
static enum CRStatus cr_parser_parse_value_core (CRParser * a_this);
@@ -783,7 +787,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
cr_parser_try_to_skip_spaces_and_comments (a_this);
do {
- status = cr_parser_parse_any_core (a_this);
+ status = cr_parser_parse_any_core (a_this, 0);
} while (status == CR_OK);
status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr,
@@ -794,7 +798,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
token);
token = NULL;
- status = cr_parser_parse_block_core (a_this);
+ status = cr_parser_parse_block_core (a_this, 0);
CHECK_PARSING_STATUS (status,
FALSE);
goto done;
@@ -929,11 +933,11 @@ cr_parser_parse_selector_core (CRParser * a_this)
RECORD_INITIAL_POS (a_this, &init_pos);
- status = cr_parser_parse_any_core (a_this);
+ status = cr_parser_parse_any_core (a_this, 0);
CHECK_PARSING_STATUS (status, FALSE);
do {
- status = cr_parser_parse_any_core (a_this);
+ status = cr_parser_parse_any_core (a_this, 0);
} while (status == CR_OK);
@@ -955,10 +959,12 @@ cr_parser_parse_selector_core (CRParser * a_this)
*in chapter 4.1 of the css2 spec.
*block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*;
*@param a_this the current instance of #CRParser.
+ *@param n_calls used to limit recursion depth
*FIXME: code this function.
*/
static enum CRStatus
-cr_parser_parse_block_core (CRParser * a_this)
+cr_parser_parse_block_core (CRParser * a_this,
+ guint n_calls)
{
CRToken *token = NULL;
CRInputPos init_pos;
@@ -966,6 +972,9 @@ cr_parser_parse_block_core (CRParser * a_this)
g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR);
+ if (n_calls > RECURSIVE_CALLERS_LIMIT)
+ return CR_ERROR;
+
RECORD_INITIAL_POS (a_this, &init_pos);
status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token);
@@ -995,13 +1004,13 @@ cr_parser_parse_block_core (CRParser * a_this)
} else if (token->type == CBO_TK) {
cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
token = NULL;
- status = cr_parser_parse_block_core (a_this);
+ status = cr_parser_parse_block_core (a_this, n_calls + 1);
CHECK_PARSING_STATUS (status, FALSE);
goto parse_block_content;
} else {
cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
token = NULL;
- status = cr_parser_parse_any_core (a_this);
+ status = cr_parser_parse_any_core (a_this, n_calls + 1);
CHECK_PARSING_STATUS (status, FALSE);
goto parse_block_content;
}
@@ -1108,7 +1117,7 @@ cr_parser_parse_value_core (CRParser * a_this)
status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
token);
token = NULL;
- status = cr_parser_parse_block_core (a_this);
+ status = cr_parser_parse_block_core (a_this, 0);
CHECK_PARSING_STATUS (status, FALSE);
ref++;
goto continue_parsing;
@@ -1122,7 +1131,7 @@ cr_parser_parse_value_core (CRParser * a_this)
status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
token);
token = NULL;
- status = cr_parser_parse_any_core (a_this);
+ status = cr_parser_parse_any_core (a_this, 0);
if (status == CR_OK) {
ref++;
goto continue_parsing;
@@ -1162,10 +1162,12 @@
* | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*;
*
*@param a_this the current instance of #CRParser.
+ *@param n_calls used to limit recursion depth
*@return CR_OK upon successfull completion, an error code otherwise.
*/
static enum CRStatus
-cr_parser_parse_any_core (CRParser * a_this)
+cr_parser_parse_any_core (CRParser * a_this,
+ guint n_calls)
{
CRToken *token1 = NULL,
*token2 = NULL;
@@ -1173,6 +1184,9 @@ cr_parser_parse_any_core (CRParser * a_this)
g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR);
+ if (n_calls > RECURSIVE_CALLERS_LIMIT)
+ return CR_ERROR;
+
RECORD_INITIAL_POS (a_this, &init_pos);
status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1);
@@ -1211,7 +1225,7 @@ cr_parser_parse_any_core (CRParser * a_this)
*We consider parameter as being an "any*" production.
*/
do {
- status = cr_parser_parse_any_core (a_this);
+ status = cr_parser_parse_any_core (a_this, n_calls + 1);
} while (status == CR_OK);
ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
@@ -1236,7 +1250,7 @@ cr_parser_parse_any_core (CRParser * a_this)
}
do {
- status = cr_parser_parse_any_core (a_this);
+ status = cr_parser_parse_any_core (a_this, n_calls + 1);
} while (status == CR_OK);
ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
@@ -1264,7 +1278,7 @@ cr_parser_parse_any_core (CRParser * a_this)
}
do {
- status = cr_parser_parse_any_core (a_this);
+ status = cr_parser_parse_any_core (a_this, n_calls + 1);
} while (status == CR_OK);
ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
--
GitLab

22
meta/recipes-support/libcroco/libcroco_0.6.13.bb Normal file
View File

@ -0,0 +1,22 @@
SUMMARY = "Cascading Style Sheet (CSS) parsing and manipulation toolkit"
HOMEPAGE = "http://www.gnome.org/"
BUGTRACKER = "https://bugzilla.gnome.org/"
LICENSE = "LGPLv2 & LGPLv2.1"
LIC_FILES_CHKSUM = "file://COPYING;md5=55ca817ccb7d5b5b66355690e9abc605 \
file://src/cr-rgb.c;endline=22;md5=31d5f0944d556c8589d04ea6055fcc66 \
file://tests/cr-test-utils.c;endline=21;md5=2382c27934cae1d3792fcb17a6142c4e"
SECTION = "x11/utils"
DEPENDS = "glib-2.0 libxml2 zlib"
BBCLASSEXTEND = "native nativesdk"
EXTRA_OECONF += "--enable-Bsymbolic=auto"
BINCONFIG = "${bindir}/croco-0.6-config"
inherit gnomebase gtk-doc binconfig-disabled
SRC_URI += "file://CVE-2020-12825.patch"
SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce"
SRC_URI[archive.sha256sum] = "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4"