From bc00314eed83c09a3f5eb45bef3dbf2d2eef1ba0 Mon Sep 17 00:00:00 2001 From: shixuantong Date: Mon, 15 Apr 2024 11:22:54 +0800 Subject: [PATCH] fix overflow and Avoid 'NULL + 1' --- ...id-8bit-overflow-in-is_public_suffix.patch | 29 ++ backport-Avoid-NULL-add-1-as-it-is-UB.patch | 37 +++ ...erflow-WRITE-1-in-domain_to_punycode.patch | 29 ++ ...-overflow-by-1-in-domain_to_punycode.patch | 285 ++++++++++++++++++ libpsl.spec | 13 +- 5 files changed, 392 insertions(+), 1 deletion(-) create mode 100644 backport-Avoid-8bit-overflow-in-is_public_suffix.patch create mode 100644 backport-Avoid-NULL-add-1-as-it-is-UB.patch create mode 100644 backport-Fix-stack-buffer-overflow-WRITE-1-in-domain_to_punycode.patch create mode 100644 backport-Fix-write-buffer-overflow-by-1-in-domain_to_punycode.patch diff --git a/backport-Avoid-8bit-overflow-in-is_public_suffix.patch b/backport-Avoid-8bit-overflow-in-is_public_suffix.patch new file mode 100644 index 0000000..695aa41 --- /dev/null +++ b/backport-Avoid-8bit-overflow-in-is_public_suffix.patch @@ -0,0 +1,29 @@ +From 55d0ae04dea0856311b05ea03567d65bf8b9e45d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Sun, 16 Jan 2022 12:51:33 +0100 +Subject: [PATCH] Avoid 8bit overflow in is_public_suffix() + +--- + src/psl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/psl.c b/src/psl.c +index be95602..8e7a9e8 100644 +--- a/src/psl.c ++++ b/src/psl.c +@@ -835,8 +835,11 @@ static int is_public_suffix(const psl_ctx_t *psl, const char *domain, int type) + suffix.nlabels = 1; + + for (p = domain; *p; p++) { +- if (*p == '.') ++ if (*p == '.') { ++ if (suffix.nlabels == 255) // weird input, avoid 8bit overflow ++ return 0; + suffix.nlabels++; ++ } + else if (*((unsigned char *)p) >= 128) + need_conversion = 1; /* in case domain is non-ascii we need a toASCII conversion */ + } +-- +2.27.0 + diff --git a/backport-Avoid-NULL-add-1-as-it-is-UB.patch b/backport-Avoid-NULL-add-1-as-it-is-UB.patch new file mode 100644 index 0000000..5bd0acb --- /dev/null +++ b/backport-Avoid-NULL-add-1-as-it-is-UB.patch @@ -0,0 +1,37 @@ +From 21d2d5191160439544150c017216f751c2c392fd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Sun, 16 Jan 2022 12:55:51 +0100 +Subject: [PATCH] Avoid 'NULL + 1' as it is UB + +--- + src/psl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/psl.c b/src/psl.c +index 8e7a9e8..f85a895 100644 +--- a/src/psl.c ++++ b/src/psl.c +@@ -568,7 +568,7 @@ static int domain_to_punycode(const char *domain, char *out, size_t outsize) + punycode_uint input[256]; + const char *label, *e; + +- for (e = label = domain; e; label = e + 1) { ++ for (e = label = domain; e;) { + e = strchr(label, '.'); + labellen = e ? (size_t) (e - label) : strlen(label); + +@@ -596,8 +596,10 @@ static int domain_to_punycode(const char *domain, char *out, size_t outsize) + outlen += labellen; + } + +- if (e) ++ if (e) { ++ label = e + 1; + out[outlen++] = '.'; ++ } + out[outlen] = 0; + } + +-- +2.27.0 + diff --git a/backport-Fix-stack-buffer-overflow-WRITE-1-in-domain_to_punycode.patch b/backport-Fix-stack-buffer-overflow-WRITE-1-in-domain_to_punycode.patch new file mode 100644 index 0000000..a69c6a5 --- /dev/null +++ b/backport-Fix-stack-buffer-overflow-WRITE-1-in-domain_to_punycode.patch @@ -0,0 +1,29 @@ +From 1023a9ad12d146608ba6326a3114f9b23b812124 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Sat, 15 Jan 2022 22:38:32 +0100 +Subject: [PATCH] Fix stack buffer overflow WRITE 1 in domain_to_punycode() + +Reported-by: oss-fuzz (issue 39424 and issue 39226) + +The affected code would only be built into the library when +configured to build without any IDNA library. +--- + src/psl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/psl.c b/src/psl.c +index eefde3c..be95602 100644 +--- a/src/psl.c ++++ b/src/psl.c +@@ -590,7 +590,7 @@ static int domain_to_punycode(const char *domain, char *out, size_t outsize) + memcpy(out + outlen, "xn--", 4); + outlen += 4; + +- labellen = outsize - outlen - 1; // -1 to leave space for the trailing \0 ++ labellen = outsize - outlen - (e != NULL) - 1; // -1 to leave space for the trailing \0 + if (punycode_encode(inputlen, input, &labellen, out + outlen)) + return 1; + outlen += labellen; +-- +2.27.0 + diff --git a/backport-Fix-write-buffer-overflow-by-1-in-domain_to_punycode.patch b/backport-Fix-write-buffer-overflow-by-1-in-domain_to_punycode.patch new file mode 100644 index 0000000..937068d --- /dev/null +++ b/backport-Fix-write-buffer-overflow-by-1-in-domain_to_punycode.patch @@ -0,0 +1,285 @@ +From b2625f93f2dcb28ea6c4b33d4cb7ff50a24f3c00 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Sun, 26 Sep 2021 18:01:59 +0200 +Subject: [PATCH] Fix write buffer overflow by 1 in domain_to_punycode() + +This issue has been triggered after the previous commit increased +the size of label_buf. + +It has been found by OSS-Fuzz (issue 39226). +The testcase is included into the unit tests. +--- + ...stcase-libpsl_load_fuzzer-5191070590304256 | 231 ++++++++++++++++++ + src/psl.c | 5 +- + 2 files changed, 232 insertions(+), 4 deletions(-) + create mode 100644 fuzz/libpsl_load_fuzzer.repro/clusterfuzz-testcase-libpsl_load_fuzzer-5191070590304256 + +diff --git a/fuzz/libpsl_load_fuzzer.repro/clusterfuzz-testcase-libpsl_load_fuzzer-5191070590304256 b/fuzz/libpsl_load_fuzzer.repro/clusterfuzz-testcase-libpsl_load_fuzzer-5191070590304256 +new file mode 100644 +index 0000000..9d276c1 +--- /dev/null ++++ b/fuzz/libpsl_load_fuzzer.repro/clusterfuzz-testcase-libpsl_load_fuzzer-5191070590304256 +@@ -0,0 +1,231 @@ ++^^Z^^^^^^^^^^^^^^^^^^^^rRRRINS=== ++com ++а ++зٰ ++Ե ++Ը ++٪ ++ϰ ++Ը ++ٰ ++Ը ++ٸ ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰԸ ++ٰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++ؿ ++Ԏ ++ж ++ۺ ++׺ ++й ++ظ ++ѷ ++٫ ++ϲ ++յ ++ڸϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰԸ ++٪ ++ ++ۺ ++׺ ++й ++ظ ++ѷ ++٫ ++ϲ ++յ7뭏 ++ڸϰ ++ۺ ++׺ ++й ++ظ ++ѷ٫ ++ϲ ++յ ++ڸϰ888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888 ++Ը ++٪ ++ϰ ++^^^^^^^^^^^^^^^^^^^^^^^^^^^m^^^^N^ ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰԸ ++٪ ++ϰ ++ظ ++ѷ ++ٰ ++Ԟ ++ڸ ++һһ ++غ ++иظ ++ѷ ++ٰ ++Ե ++٪ ++ϰԸ ++٪ ++ϰ ++ ++ڸ ++һ ++غ ++ҹ ++ظ ++ѷ ++ٰԸ ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪٫ ++ϲ ++յ ++ڸϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰԸ ++٪ ++ ++ۺ ++׺ ++ ++ϰ ++Ը ++٪ ++ϰԸ ++ٰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++ؿ ++Ԏ ++ж ++ۺ ++׺Mй ++ظ ++ѷ ++٫ ++ϲ ++յ ++ڸϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰԸ ++٪ ++ ++ۺ ++׺ ++й ++ظ ++ѷ ++٫ ++ϲ ++յ ++ڸϰ ++ۺ ++׺ ++й ++ظ ++ѷ ++٫ ++ϲ ++յ ++ڸϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰ ++Ը ++٪ ++ϰԸ ++٪ ++^^a^^^N^^^ ++ظ ++^^^^^^^^ ++^^^ +\ No newline at end of file +diff --git a/src/psl.c b/src/psl.c +index f1691e0..eefde3c 100644 +--- a/src/psl.c ++++ b/src/psl.c +@@ -571,13 +571,11 @@ static int domain_to_punycode(const char *domain, char *out, size_t outsize) + for (e = label = domain; e; label = e + 1) { + e = strchr(label, '.'); + labellen = e ? (size_t) (e - label) : strlen(label); +- /* printf("s=%s inlen=%zd\n", label, labellen); */ + + if (mem_is_ascii(label, labellen)) { + if (outlen + labellen + (e != NULL) >= outsize) + return 1; + +- /* printf("outlen=%zd labellen=%zd\n", outlen, labellen); */ + memcpy(out + outlen, label, labellen); + outlen += labellen; + } else { +@@ -592,8 +590,7 @@ static int domain_to_punycode(const char *domain, char *out, size_t outsize) + memcpy(out + outlen, "xn--", 4); + outlen += 4; + +- labellen = outsize - outlen; +- /* printf("n=%zd space_left=%zd\n", n, labellen); */ ++ labellen = outsize - outlen - 1; // -1 to leave space for the trailing \0 + if (punycode_encode(inputlen, input, &labellen, out + outlen)) + return 1; + outlen += labellen; +-- +2.27.0 + diff --git a/libpsl.spec b/libpsl.spec index c3ef5cd..5a4ab4b 100644 --- a/libpsl.spec +++ b/libpsl.spec @@ -1,11 +1,16 @@ Name: libpsl Version: 0.21.1 -Release: 5 +Release: 6 Summary: C library to handle the Public Suffix List License: MIT URL: https://github.com/rockdaboot/libpsl Source0: https://github.com/rockdaboot/libpsl/releases/download/%{version}/libpsl-%{version}.tar.gz +Patch6000: backport-Fix-write-buffer-overflow-by-1-in-domain_to_punycode.patch +Patch6001: backport-Fix-stack-buffer-overflow-WRITE-1-in-domain_to_punycode.patch +Patch6002: backport-Avoid-8bit-overflow-in-is_public_suffix.patch +Patch6003: backport-Avoid-NULL-add-1-as-it-is-UB.patch + BuildRequires: gcc gtk-doc glib2-devel libxslt python3-devel chrpath BuildRequires: libicu-devel libidn2-devel publicsuffix-list libunistring-devel Requires: publicsuffix-list @@ -104,6 +109,12 @@ make check %{_datadir}/gtk-doc/html/%{name} %changelog +* Mon Apr 15 2024 shixuantong - 0.21.1-6 +- Fix write buffer overflow by 1 in domain_to_punycode() +- Fix stack buffer overflow WRITE 1 in domain_to_punycode() +- Avoid 8bit overflow in is_public_suffix() +- Avoid 'NULL + 1' as it is UB + * Tue Oct 18 2022 gaoruoshu - 0.21.1-5 - change release -- Gitee