!48 Fix CVE-2021-45960

From: @jackssir Reviewed-by: @dou33 Signed-off-by: @dou33
2024-06-14 08:10:33 +00:00 · 2024-06-14 08:10:33 +00:00 · 7d3752b65b
commit 7d3752b65b
parent c30cf797be 4594913781
2 changed files with 70 additions and 1 deletions
--- a/CVE-2021-45960.patch
+++ b/CVE-2021-45960.patch
@ -0,0 +1,65 @@
+From 342c6cc760e273fef7a411a5658594b51957725f Mon Sep 17 00:00:00 2001
+From: lvfei <lvfei@kylinos.cn>
+Date: Thu, 20 Jul 2023 13:46:51 +0800
+Subject: [PATCH] CVE-2021-45960
+
+---
+ parser/expat/lib/xmlparse.c | 32 ++++++++++++++++++++++++++++++--
+ 1 file changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c
+index 3ee417387c..f81a68d2fc 100644
+--- a/parser/expat/lib/xmlparse.c
+++ b/parser/expat/lib/xmlparse.c
+@@ -3382,10 +3382,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
+ /* END MOZILLA CHANGE */
+     int j;  /* hash table index */
+     unsigned long version = nsAttsVersion;
+-    int nsAttsSize = (int)1 << nsAttsPower;
+     /* Detect and prevent invalid shift */
+    if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) {
+      return XML_ERROR_NO_MEMORY;
+    }
+
+    unsigned int nsAttsSize = 1u << nsAttsPower;    
+
+ /* BEGIN MOZILLA CHANGE (Include xmlns attributes in attributes array) */
+     if (nPrefixes) {
+ /* END MOZILLA CHANGE */
+    unsigned char oldNsAttsPower = parser->m_nsAttsPower;
+     /* size of hash table must be at least 2 * (# of prefixed attributes) */
+     if ((nPrefixes << 1) >> nsAttsPower) {  /* true for nsAttsPower = 0 */
+       NS_ATT *temp;
+@@ -3393,7 +3400,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
+       while (nPrefixes >> nsAttsPower++);
+       if (nsAttsPower < 3)
+         nsAttsPower = 3;
+-      nsAttsSize = (int)1 << nsAttsPower;
+      
+            /* Detect and prevent invalid shift */
+      if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) {
+        /* Restore actual size of memory in m_nsAtts */
+        parser->m_nsAttsPower = oldNsAttsPower;
+        return XML_ERROR_NO_MEMORY;
+      }
+
+      nsAttsSize = 1u << parser->m_nsAttsPower;
+
+      /* Detect and prevent integer overflow.
+       * The preprocessor guard addresses the "always false" warning
+       * from -Wtype-limits on platforms where
+       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+      if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) {
+        /* Restore actual size of memory in m_nsAtts */
+        parser->m_nsAttsPower = oldNsAttsPower;
+        return XML_ERROR_NO_MEMORY;
+      }
+#endif
+      
+       temp = (NS_ATT *)REALLOC(nsAtts, nsAttsSize * sizeof(NS_ATT));
+       if (!temp)
+         return XML_ERROR_NO_MEMORY;
+-- 
+2.27.0
+
--- a/mozjs78.spec
+++ b/mozjs78.spec
@ -2,7 +2,7 @@

 Name:           mozjs%{major}
 Version:        78.4.0
-Release:        7
+Release:        8
 Summary:        SpiderMonkey JavaScript library
 License:        MPLv2.0 and MPLv1.1 and BSD and GPLv2+ and GPLv3+ and LGPLv2+ and AFL and ASL 2.0
 URL:            https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey
@ -30,6 +30,7 @@ Patch14:        CVE-2021-29946.patch
 Patch15:        CVE-2022-34481.patch
 Patch16:        CVE-2023-29532.patch
 Patch17:        CVE-2022-22740.patch
+Patch18:        CVE-2021-45960.patch

 BuildRequires:  autoconf213 cargo clang-devel gcc gcc-c++ perl-devel pkgconfig(libffi) pkgconfig(zlib) 
 BuildRequires:  python3-devel python3-six readline-devel zip nasm llvm llvm-devel icu rust
@ -109,6 +110,9 @@ popd
 %doc js/src/README.html

 %changelog
+* Thu Jun 13 2024 lvfei <lvfei@kylinos.cn> - - 78.4.0-8
+- Fix CVE-2021-45960
+
 * Thu Jun 13 2024 sunhai <sunhai10@huawei.com> - 78.4.0-7
 - fix CVE-2022-22740