!48 Fix CVE-2021-45960

From: @jackssir Reviewed-by: @dou33 Signed-off-by: @dou33
2024-06-14 08:10:33 +00:00 · 2024-06-14 08:10:33 +00:00 · 7d3752b65b
commit 7d3752b65b
parent c30cf797be 4594913781
2 changed files with 70 additions and 1 deletions
--- a/CVE-2021-45960.patch
+++ b/CVE-2021-45960.patch
@ -0,0 +1,65 @@
 From 342c6cc760e273fef7a411a5658594b51957725f Mon Sep 17 00:00:00 2001
 From: lvfei <lvfei@kylinos.cn>
 Date: Thu, 20 Jul 2023 13:46:51 +0800
 Subject: [PATCH] CVE-2021-45960
 ---
 parser/expat/lib/xmlparse.c | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)
 diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c
 index 3ee417387c..f81a68d2fc 100644
 --- a/parser/expat/lib/xmlparse.c
 +++ b/parser/expat/lib/xmlparse.c
@@ -3382,10 +3382,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
 /* END MOZILLA CHANGE */
     int j;  /* hash table index */
     unsigned long version = nsAttsVersion;
 -    int nsAttsSize = (int)1 << nsAttsPower;
 +     /* Detect and prevent invalid shift */
 +    if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) {
 +      return XML_ERROR_NO_MEMORY;
 +    }
 +
 +    unsigned int nsAttsSize = 1u << nsAttsPower;    
 +
 /* BEGIN MOZILLA CHANGE (Include xmlns attributes in attributes array) */
     if (nPrefixes) {
 /* END MOZILLA CHANGE */
 +    unsigned char oldNsAttsPower = parser->m_nsAttsPower;
     /* size of hash table must be at least 2 * (# of prefixed attributes) */
     if ((nPrefixes << 1) >> nsAttsPower) {  /* true for nsAttsPower = 0 */
       NS_ATT *temp;
@@ -3393,7 +3400,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
       while (nPrefixes >> nsAttsPower++);
       if (nsAttsPower < 3)
         nsAttsPower = 3;
 -      nsAttsSize = (int)1 << nsAttsPower;
 +      
 +            /* Detect and prevent invalid shift */
 +      if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) {
 +        /* Restore actual size of memory in m_nsAtts */
 +        parser->m_nsAttsPower = oldNsAttsPower;
 +        return XML_ERROR_NO_MEMORY;
 +      }
 +
 +      nsAttsSize = 1u << parser->m_nsAttsPower;
 +
 +      /* Detect and prevent integer overflow.
 +       * The preprocessor guard addresses the "always false" warning
 +       * from -Wtype-limits on platforms where
 +       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
 +#if UINT_MAX >= SIZE_MAX
 +      if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) {
 +        /* Restore actual size of memory in m_nsAtts */
 +        parser->m_nsAttsPower = oldNsAttsPower;
 +        return XML_ERROR_NO_MEMORY;
 +      }
 +#endif
 +      
       temp = (NS_ATT *)REALLOC(nsAtts, nsAttsSize * sizeof(NS_ATT));
       if (!temp)
         return XML_ERROR_NO_MEMORY;
 -- 
 2.27.0
--- a/mozjs78.spec
+++ b/mozjs78.spec
@ -2,7 +2,7 @@
 Name:           mozjs%{major}
 Version:        78.4.0
-Release:        7
+Release:        8
 Summary:        SpiderMonkey JavaScript library
 License:        MPLv2.0 and MPLv1.1 and BSD and GPLv2+ and GPLv3+ and LGPLv2+ and AFL and ASL 2.0
 URL:            https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey
@ -30,6 +30,7 @@ Patch14:        CVE-2021-29946.patch
 Patch15:        CVE-2022-34481.patch
 Patch16:        CVE-2023-29532.patch
 Patch17:        CVE-2022-22740.patch
 Patch18:        CVE-2021-45960.patch
 BuildRequires:  autoconf213 cargo clang-devel gcc gcc-c++ perl-devel pkgconfig(libffi) pkgconfig(zlib) 
 BuildRequires:  python3-devel python3-six readline-devel zip nasm llvm llvm-devel icu rust
@ -109,6 +110,9 @@ popd
 %doc js/src/README.html
 %changelog
 * Thu Jun 13 2024 lvfei <lvfei@kylinos.cn> - - 78.4.0-8
 - Fix CVE-2021-45960
 * Thu Jun 13 2024 sunhai <sunhai10@huawei.com> - 78.4.0-7
 - fix CVE-2022-22740