diff --git a/CVE-2021-45960.patch b/CVE-2021-45960.patch new file mode 100644 index 0000000000000000000000000000000000000000..45efbe0e7b47a654197f0f6c26cf1ef4b053f1a5 --- /dev/null +++ b/CVE-2021-45960.patch @@ -0,0 +1,65 @@ +From 342c6cc760e273fef7a411a5658594b51957725f Mon Sep 17 00:00:00 2001 +From: lvfei +Date: Thu, 20 Jul 2023 13:46:51 +0800 +Subject: [PATCH] CVE-2021-45960 + +--- + parser/expat/lib/xmlparse.c | 32 ++++++++++++++++++++++++++++++-- + 1 file changed, 30 insertions(+), 2 deletions(-) + +diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c +index 3ee417387c..f81a68d2fc 100644 +--- a/parser/expat/lib/xmlparse.c ++++ b/parser/expat/lib/xmlparse.c +@@ -3382,10 +3382,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc, + /* END MOZILLA CHANGE */ + int j; /* hash table index */ + unsigned long version = nsAttsVersion; +- int nsAttsSize = (int)1 << nsAttsPower; ++ /* Detect and prevent invalid shift */ ++ if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) { ++ return XML_ERROR_NO_MEMORY; ++ } ++ ++ unsigned int nsAttsSize = 1u << nsAttsPower; ++ + /* BEGIN MOZILLA CHANGE (Include xmlns attributes in attributes array) */ + if (nPrefixes) { + /* END MOZILLA CHANGE */ ++ unsigned char oldNsAttsPower = parser->m_nsAttsPower; + /* size of hash table must be at least 2 * (# of prefixed attributes) */ + if ((nPrefixes << 1) >> nsAttsPower) { /* true for nsAttsPower = 0 */ + NS_ATT *temp; +@@ -3393,7 +3400,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc, + while (nPrefixes >> nsAttsPower++); + if (nsAttsPower < 3) + nsAttsPower = 3; +- nsAttsSize = (int)1 << nsAttsPower; ++ ++ /* Detect and prevent invalid shift */ ++ if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) { ++ /* Restore actual size of memory in m_nsAtts */ ++ parser->m_nsAttsPower = oldNsAttsPower; ++ return XML_ERROR_NO_MEMORY; ++ } ++ ++ nsAttsSize = 1u << parser->m_nsAttsPower; ++ ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) { ++ /* Restore actual size of memory in m_nsAtts */ ++ parser->m_nsAttsPower = oldNsAttsPower; ++ return XML_ERROR_NO_MEMORY; ++ } ++#endif ++ + temp = (NS_ATT *)REALLOC(nsAtts, nsAttsSize * sizeof(NS_ATT)); + if (!temp) + return XML_ERROR_NO_MEMORY; +-- +2.27.0 + diff --git a/mozjs78.spec b/mozjs78.spec index a3fedee23067faa2178b7239cc256f2fdfeea36d..14d3a2d85381f7b83f07a6eade0d58d0a0a82a51 100644 --- a/mozjs78.spec +++ b/mozjs78.spec @@ -2,7 +2,7 @@ Name: mozjs%{major} Version: 78.4.0 -Release: 7 +Release: 8 Summary: SpiderMonkey JavaScript library License: MPLv2.0 and MPLv1.1 and BSD and GPLv2+ and GPLv3+ and LGPLv2+ and AFL and ASL 2.0 URL: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey @@ -30,6 +30,7 @@ Patch14: CVE-2021-29946.patch Patch15: CVE-2022-34481.patch Patch16: CVE-2023-29532.patch Patch17: CVE-2022-22740.patch +Patch18: CVE-2021-45960.patch BuildRequires: autoconf213 cargo clang-devel gcc gcc-c++ perl-devel pkgconfig(libffi) pkgconfig(zlib) BuildRequires: python3-devel python3-six readline-devel zip nasm llvm llvm-devel icu rust @@ -109,6 +110,9 @@ popd %doc js/src/README.html %changelog +* Thu Jun 13 2024 lvfei - - 78.4.0-8 +- Fix CVE-2021-45960 + * Thu Jun 13 2024 sunhai - 78.4.0-7 - fix CVE-2022-22740