diff --git a/0001-Disable-running-gyp-on-shared-deps.patch b/0001-Disable-running-gyp-on-shared-deps.patch index 3c11dd8747bbd2cdb47fdc77dcac8480ef08aed2..6d662d3413c3a010b12aecef075d9c822af89a8f 100644 --- a/0001-Disable-running-gyp-on-shared-deps.patch +++ b/0001-Disable-running-gyp-on-shared-deps.patch @@ -1,30 +1,25 @@ -From 7a6257be1d0276ff22d2d92ea89c5bca6c633802 Mon Sep 17 00:00:00 2001 +From 0da4decd64a9cbfcf75b2697c722cd6fc82a164d Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova -Date: Thu, 27 Apr 2017 14:25:42 +0200 -Subject: [PATCH 1/3] Disable running gyp on shared deps +Date: Fri, 17 Apr 2020 12:59:44 +0200 +Subject: [PATCH] 0001 --- - Makefile | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 316410e3f81e39cdddecf91d5b717c884a9c51b3..62c8ebb5b95a68e44d4c2ab3beee70d63c3175c7 100644 +index 88166da2a8..f0637b6c78 100644 --- a/Makefile +++ b/Makefile -@@ -123,10 +123,9 @@ with-code-cache: - test-code-cache: with-code-cache - $(PYTHON) tools/test.py $(PARALLEL_ARGS) --mode=$(BUILDTYPE_LOWER) code-cache +@@ -141,7 +141,7 @@ test-code-cache: with-code-cache + echo "'test-code-cache' target is a noop" --out/Makefile: common.gypi deps/uv/uv.gyp deps/http_parser/http_parser.gyp \ -- deps/zlib/zlib.gyp deps/v8/gypfiles/toolchain.gypi \ -- deps/v8/gypfiles/features.gypi deps/v8/gypfiles/v8.gyp node.gyp \ -- config.gypi -+out/Makefile: common.gypi deps/http_parser/http_parser.gyp \ -+ deps/v8/gypfiles/toolchain.gypi deps/v8/gypfiles/features.gypi \ -+ deps/v8/gypfiles/v8.gyp node.gyp config.gypi + out/Makefile: config.gypi common.gypi node.gyp \ +- deps/uv/uv.gyp deps/http_parser/http_parser.gyp deps/zlib/zlib.gyp \ ++ deps/http_parser/http_parser.gyp \ + tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ + tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp $(PYTHON) tools/gyp_node.py -f make - - config.gypi: configure configure.py -- -2.24.1 +2.25.2 diff --git a/0002-Install-both-binaries-and-use-libdir.patch b/0002-Install-both-binaries-and-use-libdir.patch index 9e184d7e926bdc2c6914a91365a6620725ac0955..c0613bf6bf3e456f3f070c3b1833c70297a72703 100644 --- a/0002-Install-both-binaries-and-use-libdir.patch +++ b/0002-Install-both-binaries-and-use-libdir.patch @@ -1,7 +1,7 @@ -From 8828c8fdc98f310a718a65ebc47d8a163e41b0cb Mon Sep 17 00:00:00 2001 +From 11512edeb046b64be4daca76f061a3a918251ee0 Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Tue, 19 Mar 2019 23:22:40 -0400 -Subject: [PATCH 2/3] Install both binaries and use libdir. +Subject: [PATCH 2/2] Install both binaries and use libdir. This allows us to build with a shared library for other users while still providing the normal executable. @@ -13,10 +13,10 @@ Signed-off-by: Elliott Sales de Andrade 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/configure.py b/configure.py -index 22861a10eeac54cae69fc1be4b9aef7ed5106a35..48389fbdcb57cbf8d9c11d4921c65f34a1937cc7 100755 +index 6537a62d3954d83927c698db3fb80c9fc05faba7..b9a894bec9e5fd954004bcb423822ca984066dc5 100755 --- a/configure.py +++ b/configure.py -@@ -552,6 +552,12 @@ parser.add_option('--shared', +@@ -571,6 +571,12 @@ parser.add_option('--shared', help='compile shared library for embedding node in another project. ' + '(This mode is not officially supported for regular applications)') @@ -29,19 +29,19 @@ index 22861a10eeac54cae69fc1be4b9aef7ed5106a35..48389fbdcb57cbf8d9c11d4921c65f34 parser.add_option('--without-v8-platform', action='store_true', dest='without_v8_platform', -@@ -1095,6 +1101,7 @@ def configure_node(o): - if options.code_cache_path: - o['variables']['node_code_cache_path'] = options.code_cache_path +@@ -1105,6 +1111,7 @@ def configure_node(o): + o['variables']['node_no_browser_globals'] = b(options.no_browser_globals) + o['variables']['node_shared'] = b(options.shared) + o['variables']['libdir'] = options.libdir node_module_version = getmoduleversion.get_version() - if sys.platform == 'darwin': + if options.dest_os == 'android': diff --git a/tools/install.py b/tools/install.py -index 028c32ecbbdf9625238dfcc2baef66df9408b539..bf443c4d15a3b3ebf1e10a5dd802e9c5999691e5 100755 +index 655802980a6ea94d1d4ca1dc63c8c8e905fbb83a..fe4723bf15012c8aacacb0393dc8294c049b0503 100755 --- a/tools/install.py +++ b/tools/install.py -@@ -117,26 +117,23 @@ def subdir_files(path, dest, action): +@@ -121,26 +121,23 @@ def subdir_files(path, dest, action): def files(action): is_windows = sys.platform == 'win32' diff --git a/0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch b/0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch deleted file mode 100644 index 9a02d6519c42ec29ba4d7acfec0eb7089c916caf..0000000000000000000000000000000000000000 --- a/0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 9ca4d4aeccf50e6c036e5536ef070a09c1776817 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Fri, 6 Dec 2019 16:40:25 -0500 -Subject: [PATCH 3/3] build: auto-load ICU data from - --with-icu-default-data-dir - -When compiled with `--with-intl=small` and -`--with-icu-default-data-dir=PATH`, Node.js will use PATH as a -fallback location for the ICU data. - -We will first perform an access check using fopen(PATH, 'r') to -ensure that the file is readable. If it is, we'll set the -icu_data_directory and proceed. There's a slight overhead for the -fopen() check, but it should be barely measurable. - -This will be useful for Linux distribution packagers who want to -be able to ship a minimal node binary in a container image but -also be able to add on the full i18n support where needed. With -this patch, it becomes possible to ship the interpreter as -/usr/bin/node in one package for the distribution and to ship the -data files in another package (without a strict dependency -between the two). This means that users of the distribution will -not need to explicitly direct Node.js to locate the ICU data. It -also means that in environments where full internationalization is -not required, they do not need to carry the extra content (with -the associated storage costs). - -Refs: https://github.com/nodejs/node/issues/3460 - -Signed-off-by: Stephen Gallagher ---- - configure.py | 9 +++++++++ - node.gypi | 7 +++++++ - src/node.cc | 20 ++++++++++++++++++++ - 3 files changed, 36 insertions(+) - -diff --git a/configure.py b/configure.py -index 48389fbdcb57cbf8d9c11d4921c65f34a1937cc7..063e8748b954a7fed4fe084399e61371c061edab 100755 ---- a/configure.py -+++ b/configure.py -@@ -433,6 +433,14 @@ intl_optgroup.add_option('--with-icu-source', - 'the icu4c source archive. ' - 'v%d.x or later recommended.' % icu_versions['minimum_icu']) - -+intl_optgroup.add_option('--with-icu-default-data-dir', -+ action='store', -+ dest='with_icu_default_data_dir', -+ help='Path to the icuXXdt{lb}.dat file. If unspecified, ICU data will ' -+ 'only be read if the NODE_ICU_DATA environment variable or the ' -+ '--icu-data-dir runtime argument is used. This option has effect ' -+ 'only when Node.js is built with --with-intl=small-icu.') -+ - parser.add_option('--with-ltcg', - action='store_true', - dest='with_ltcg', -@@ -1360,6 +1368,7 @@ def configure_intl(o): - locs.add('root') # must have root - o['variables']['icu_locales'] = string.join(locs,',') - # We will check a bit later if we can use the canned deps/icu-small -+ o['variables']['icu_default_data'] = options.with_icu_default_data_dir or '' - elif with_intl == 'full-icu': - # full ICU - o['variables']['v8_enable_i18n_support'] = 1 -diff --git a/node.gypi b/node.gypi -index 466a1746811cfac1a8ce4ef604ef1152c6229ff1..65b97d6466a14f4343a948a5fc36f8a2580badfb 100644 ---- a/node.gypi -+++ b/node.gypi -@@ -113,6 +113,13 @@ - 'conditions': [ - [ 'icu_small=="true"', { - 'defines': [ 'NODE_HAVE_SMALL_ICU=1' ], -+ 'conditions': [ -+ [ 'icu_default_data!=""', { -+ 'defines': [ -+ 'NODE_ICU_DEFAULT_DATA_DIR="<(icu_default_data)"', -+ ], -+ }], -+ ], - }]], - }], - [ 'node_use_bundled_v8=="true" and \ -diff --git a/src/node.cc b/src/node.cc -index 7c0118758dfd9449283b900209b2ba8df7ddd129..c9840e3e367ca47176a17a7940a1e08eb1f56f78 100644 ---- a/src/node.cc -+++ b/src/node.cc -@@ -92,6 +92,7 @@ - - #if defined(NODE_HAVE_I18N_SUPPORT) - #include -+#include - #endif - - #if defined(LEAK_SANITIZER) -@@ -2643,6 +2644,25 @@ void Init(std::vector* argv, - // If the parameter isn't given, use the env variable. - if (per_process_opts->icu_data_dir.empty()) - SafeGetenv("NODE_ICU_DATA", &per_process_opts->icu_data_dir); -+ -+#ifdef NODE_ICU_DEFAULT_DATA_DIR -+ // If neither the CLI option nor the environment variable was specified, -+ // fall back to the configured default -+ if (per_process_opts->icu_data_dir.empty()) { -+ // Check whether the NODE_ICU_DEFAULT_DATA_DIR contains the right data -+ // file and can be read. -+ static const char full_path[] = -+ NODE_ICU_DEFAULT_DATA_DIR "/" U_ICUDATA_NAME ".dat"; -+ -+ FILE* f = fopen(full_path, "rb"); -+ -+ if (f != nullptr) { -+ fclose(f); -+ per_process_opts->icu_data_dir = NODE_ICU_DEFAULT_DATA_DIR; -+ } -+ } -+#endif // NODE_ICU_DEFAULT_DATA_DIR -+ - // Initialize ICU. - // If icu_data_dir is empty here, it will load the 'minimal' data. - if (!i18n::InitializeICUDirectory(per_process_opts->icu_data_dir)) { --- -2.24.1 - diff --git a/0004-Make-AARCH64-compile-on-64KB-physical-pages.patch b/0004-Make-AARCH64-compile-on-64KB-physical-pages.patch new file mode 100644 index 0000000000000000000000000000000000000000..c276904fc92112e3f7a921c3b9798990a8cfd29e --- /dev/null +++ b/0004-Make-AARCH64-compile-on-64KB-physical-pages.patch @@ -0,0 +1,25 @@ +From 8a189060f6e5f969fc331f4531f31c319d654639 Mon Sep 17 00:00:00 2001 +From: hht8 +Date: Mon, 4 Jan 2021 09:14:35 +0800 +Subject: [PATCH] Make AARCH64 compile on 64KB physical pages + +--- + deps/v8/src/base/build_config.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/deps/v8/src/base/build_config.h b/deps/v8/src/base/build_config.h +index f430082..098e36f 100644 +--- a/deps/v8/src/base/build_config.h ++++ b/deps/v8/src/base/build_config.h +@@ -202,7 +202,7 @@ + #endif + + // Number of bits to represent the page size for paged spaces. +-#if defined(V8_TARGET_ARCH_PPC) || defined(V8_TARGET_ARCH_PPC64) ++#if defined(V8_TARGET_ARCH_PPC) || defined(V8_TARGET_ARCH_PPC64) || defined(V8_TARGET_ARCH_ARM64) + // PPC has large (64KB) physical pages. + const int kPageSizeBits = 19; + #else +-- +2.23.0 + diff --git a/0004-src-avoid-OOB-read-in-URL-parser.patch b/0004-src-avoid-OOB-read-in-URL-parser.patch deleted file mode 100644 index 6108a397efe0aa1ec92b151657b57791d4537977..0000000000000000000000000000000000000000 --- a/0004-src-avoid-OOB-read-in-URL-parser.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 4cb8fa4aa5dea72bc66ea950e3fc193385bb7175 Mon Sep 17 00:00:00 2001 -From: gaozhekang -Date: Wed, 4 Nov 2020 11:12:53 +0800 -Subject: [PATCH] src: avoid OOB read in URL parser - -This is not a big concern, because right now, all (non-test) inputs -to the parser are `'\0'`-terminated, but we should be future-proof -here and not perform these OOB reads. - ---- - src/node_url.cc | 6 +++--- - test/cctest/test_url.cc | 20 ++++++++++++++++++++ - 2 files changed, 23 insertions(+), 3 deletions(-) - -diff --git a/src/node_url.cc b/src/node_url.cc -index 7bfcde5..41492b1 100644 ---- a/src/node_url.cc -+++ b/src/node_url.cc -@@ -1487,7 +1487,7 @@ void URL::Parse(const char* input, - state = kSpecialRelativeOrAuthority; - } else if (special) { - state = kSpecialAuthoritySlashes; -- } else if (p[1] == '/') { -+ } else if (p + 1 < end && p[1] == '/') { - state = kPathOrAuthority; - p++; - } else { -@@ -1547,7 +1547,7 @@ void URL::Parse(const char* input, - } - break; - case kSpecialRelativeOrAuthority: -- if (ch == '/' && p[1] == '/') { -+ if (ch == '/' && p + 1 < end && p[1] == '/') { - state = kSpecialAuthorityIgnoreSlashes; - p++; - } else { -@@ -1695,7 +1695,7 @@ void URL::Parse(const char* input, - break; - case kSpecialAuthoritySlashes: - state = kSpecialAuthorityIgnoreSlashes; -- if (ch == '/' && p[1] == '/') { -+ if (ch == '/' && p + 1 < end && p[1] == '/') { - p++; - } else { - continue; -diff --git a/test/cctest/test_url.cc b/test/cctest/test_url.cc -index ddef534..810cbc2 100644 ---- a/test/cctest/test_url.cc -+++ b/test/cctest/test_url.cc -@@ -80,6 +80,26 @@ TEST_F(URLTest, Base3) { - EXPECT_EQ(simple.path(), "/baz"); - } - -+TEST_F(URLTest, TruncatedAfterProtocol) { -+ char input[2] = { 'q', ':' }; -+ URL simple(input, sizeof(input)); -+ -+ EXPECT_FALSE(simple.flags() & URL_FLAGS_FAILED); -+ EXPECT_EQ(simple.protocol(), "q:"); -+ EXPECT_EQ(simple.host(), ""); -+ EXPECT_EQ(simple.path(), "/"); -+} -+ -+TEST_F(URLTest, TruncatedAfterProtocol2) { -+ char input[6] = { 'h', 't', 't', 'p', ':', '/' }; -+ URL simple(input, sizeof(input)); -+ -+ EXPECT_TRUE(simple.flags() & URL_FLAGS_FAILED); -+ EXPECT_EQ(simple.protocol(), "http:"); -+ EXPECT_EQ(simple.host(), ""); -+ EXPECT_EQ(simple.path(), ""); -+} -+ - TEST_F(URLTest, ToFilePath) { - #define T(url, path) EXPECT_EQ(path, URL(url).ToFilePath()) - T("http://example.org/foo/bar", ""); --- -2.23.0 - diff --git a/0005-use-getauxval-in-node_main_cc.patch b/0005-use-getauxval-in-node_main_cc.patch new file mode 100644 index 0000000000000000000000000000000000000000..b1c67ae33dbff030bee6144477fb5ffa8ba797aa --- /dev/null +++ b/0005-use-getauxval-in-node_main_cc.patch @@ -0,0 +1,60 @@ +From 7232c2a1604d241ce0455d919ba9b0b8e9959f81 Mon Sep 17 00:00:00 2001 +From: Daniel Bevenius +Date: Tue, 2 Jun 2020 05:33:25 +0200 +Subject: [PATCH] src: use getauxval in node_main.cc + +This commit suggests using getauxval in node_main.cc. + +The motivation for this is that getauxval was introduced in glibc 2.16 +and looking at BUILDING.md, in the 'Platform list' section, it looks +like we now support glibc >= 2.17 and perhaps this change would be +alright now. + +PR-URL: https://github.com/nodejs/node/pull/33693 +Refs: https://github.com/nodejs/node/pull/12548 +Reviewed-By: Ben Noordhuis +Reviewed-By: David Carlier +Reviewed-By: Anna Henningsen +Reviewed-By: Colin Ihrig +Reviewed-By: James M Snell +--- + src/node_main.cc | 18 ++---------------- + 1 file changed, 2 insertions(+), 16 deletions(-) + +diff --git a/src/node_main.cc b/src/node_main.cc +index 9f4ea22d12c6..6bac10759325 100644 +--- a/src/node_main.cc ++++ b/src/node_main.cc +@@ -89,13 +89,7 @@ int wmain(int argc, wchar_t* wargv[]) { + #else + // UNIX + #ifdef __linux__ +-#include +-#ifdef __LP64__ +-#define Elf_auxv_t Elf64_auxv_t +-#else +-#define Elf_auxv_t Elf32_auxv_t +-#endif // __LP64__ +-extern char** environ; ++#include + #endif // __linux__ + #if defined(__POSIX__) && defined(NODE_SHARED_MODE) + #include +@@ -124,15 +118,7 @@ int main(int argc, char* argv[]) { + #endif + + #if defined(__linux__) +- char** envp = environ; +- while (*envp++ != nullptr) {} +- Elf_auxv_t* auxv = reinterpret_cast(envp); +- for (; auxv->a_type != AT_NULL; auxv++) { +- if (auxv->a_type == AT_SECURE) { +- node::per_process::linux_at_secure = auxv->a_un.a_val; +- break; +- } +- } ++ node::per_process::linux_at_secure = getauxval(AT_SECURE); + #endif + // Disable stdio buffering, it interacts poorly with printf() + // calls elsewhere in the program (e.g., any logging from V8.) + diff --git a/CVE-2020-8252.patch b/CVE-2020-8252.patch deleted file mode 100644 index de3ca915e23b01c540b98052286a392ce7fd8bc7..0000000000000000000000000000000000000000 --- a/CVE-2020-8252.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 0e6e8620496dff0eb285589ef1e37a7f407f3ddd Mon Sep 17 00:00:00 2001 -From: Ben Noordhuis -Date: Mon, 24 Aug 2020 11:42:27 +0200 -Subject: [PATCH] unix: don't use _POSIX_PATH_MAX - -Libuv was using _POSIX_PATH_MAX wrong. Bug introduced in commit b56d279b -("unix: do not require PATH_MAX to be defined") from September 2018. - -_POSIX_PATH_MAX is the minimum max path size guaranteed by POSIX, not -the actual max path size of the system libuv runs on. _POSIX_PATH_MAX -is always 256, the real max is often much bigger. - -This commit fixes buffer overruns when processing very long paths in -uv_fs_readlink() and uv_fs_realpath() because libuv was not allocating -enough memory to store the result. - -Fixes: https://github.com/libuv/libuv/issues/2965 -PR-URL: https://github.com/libuv/libuv/pull/2966 -Reviewed-By: Richard Lau -Reviewed-By: Santiago Gimeno -Reviewed-By: Colin Ihrig -Reviewed-By: Jameson Nash ---- - - deps/uv/src/unix/internal.h | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/deps/uv/src/unix/internal.h b/deps/uv/src/unix/internal.h -index 47f2200..82f7bc9 100644 ---- a/deps/uv/src/unix/internal.h -+++ b/deps/uv/src/unix/internal.h -@@ -61,9 +61,7 @@ - # include - #endif - --#if defined(_POSIX_PATH_MAX) --# define UV__PATH_MAX _POSIX_PATH_MAX --#elif defined(PATH_MAX) -+#if defined(PATH_MAX) - # define UV__PATH_MAX PATH_MAX - #else - # define UV__PATH_MAX 8192 --- -2.23.0 - diff --git a/CVE-2020-8265.patch b/CVE-2020-8265.patch deleted file mode 100644 index 8720755ce29dd43ce9eb6555637052da51cec48b..0000000000000000000000000000000000000000 --- a/CVE-2020-8265.patch +++ /dev/null @@ -1,281 +0,0 @@ -From 7f178663ebffc82c9f8a5a1b6bf2da0c263a30ed Mon Sep 17 00:00:00 2001 -From: Daniel Bevenius -Date: Wed, 2 Dec 2020 18:21:41 +0100 -Subject: [PATCH] src: use unique_ptr for WriteWrap -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This commit attempts to avoid a use-after-free error by using unqiue_ptr -and passing a reference to it. - -CVE-ID: CVE-2020-8265 -Fixes: https://github.com/nodejs-private/node-private/issues/227 -PR-URL: https://github.com/nodejs-private/node-private/pull/238 -Reviewed-By: Michael Dawson -Reviewed-By: Tobias Nießen -Reviewed-By: Richard Lau -Reference: https://github.com/nodejs/node/commit/7f178663ebffc82c9f8a5a1b6bf2da0c263a30ed ---- - src/js_stream.cc | 4 ++-- - src/js_stream.h | 2 +- - src/node_file.h | 2 +- - src/node_http2.cc | 4 ++-- - src/node_http2.h | 2 +- - src/stream_base-inl.h | 8 ++++---- - src/stream_base.h | 9 +++++---- - src/stream_wrap.cc | 4 ++-- - src/stream_wrap.h | 2 +- - src/tls_wrap.cc | 13 +++++++------ - src/tls_wrap.h | 4 ++-- - 11 files changed, 28 insertions(+), 26 deletions(-) - -diff --git a/src/js_stream.cc b/src/js_stream.cc -index e3d734c..4054e90 100644 ---- a/src/js_stream.cc -+++ b/src/js_stream.cc -@@ -105,7 +105,7 @@ int JSStream::DoShutdown(ShutdownWrap* req_wrap) { - } - - --int JSStream::DoWrite(WriteWrap* w, -+int JSStream::DoWrite(std::unique_ptr& w, - uv_buf_t* bufs, - size_t count, - uv_stream_t* send_handle) { -@@ -122,7 +122,7 @@ int JSStream::DoWrite(WriteWrap* w, - } - - Local argv[] = { -- w->object(), -+ w.get()->object(), - bufs_arr - }; - -diff --git a/src/js_stream.h b/src/js_stream.h -index 6612e55..bf0d15d 100644 ---- a/src/js_stream.h -+++ b/src/js_stream.h -@@ -22,7 +22,7 @@ class JSStream : public AsyncWrap, public StreamBase { - int ReadStop() override; - - int DoShutdown(ShutdownWrap* req_wrap) override; -- int DoWrite(WriteWrap* w, -+ int DoWrite(std::unique_ptr& w, - uv_buf_t* bufs, - size_t count, - uv_stream_t* send_handle) override; -diff --git a/src/node_file.h b/src/node_file.h -index cbbb8b0..b440c14 100644 ---- a/src/node_file.h -+++ b/src/node_file.h -@@ -287,7 +287,7 @@ class FileHandle : public AsyncWrap, public StreamBase { - ShutdownWrap* CreateShutdownWrap(v8::Local object) override; - int DoShutdown(ShutdownWrap* req_wrap) override; - -- int DoWrite(WriteWrap* w, -+ int DoWrite(std::unique_ptr& w, - uv_buf_t* bufs, - size_t count, - uv_stream_t* send_handle) override { -diff --git a/src/node_http2.cc b/src/node_http2.cc -index 9bde444..2a523a4 100644 ---- a/src/node_http2.cc -+++ b/src/node_http2.cc -@@ -2314,7 +2314,7 @@ int Http2Stream::ReadStop() { - // chunks of data have been flushed to the underlying nghttp2_session. - // Note that this does *not* mean that the data has been flushed - // to the socket yet. --int Http2Stream::DoWrite(WriteWrap* req_wrap, -+int Http2Stream::DoWrite(std::unique_ptr& req_wrap, - uv_buf_t* bufs, - size_t nbufs, - uv_stream_t* send_handle) { -@@ -2329,7 +2329,7 @@ int Http2Stream::DoWrite(WriteWrap* req_wrap, - // Store the req_wrap on the last write info in the queue, so that it is - // only marked as finished once all buffers associated with it are finished. - queue_.emplace(nghttp2_stream_write { -- i == nbufs - 1 ? req_wrap : nullptr, -+ i == nbufs - 1 ? req_wrap.get() : nullptr, - bufs[i] - }); - IncrementAvailableOutboundLength(bufs[i].len); -diff --git a/src/node_http2.h b/src/node_http2.h -index 1526e0b..d1d523e 100644 ---- a/src/node_http2.h -+++ b/src/node_http2.h -@@ -568,7 +568,7 @@ class Http2Stream : public AsyncWrap, - - AsyncWrap* GetAsyncWrap() override { return this; } - -- int DoWrite(WriteWrap* w, uv_buf_t* bufs, size_t count, -+ int DoWrite(std::unique_ptr& w, uv_buf_t* bufs, size_t count, - uv_stream_t* send_handle) override; - - void MemoryInfo(MemoryTracker* tracker) const override { -diff --git a/src/stream_base-inl.h b/src/stream_base-inl.h -index 027b938..dca02ac 100644 ---- a/src/stream_base-inl.h -+++ b/src/stream_base-inl.h -@@ -216,14 +216,14 @@ inline StreamWriteResult StreamBase::Write( - } - - AsyncHooks::DefaultTriggerAsyncIdScope trigger_scope(GetAsyncWrap()); -- WriteWrap* req_wrap = CreateWriteWrap(req_wrap_obj); -+ std::unique_ptr req_wrap{CreateWriteWrap(req_wrap_obj)}; - - err = DoWrite(req_wrap, bufs, count, send_handle); - bool async = err == 0; - -- if (!async) { -+ if (!async && req_wrap != nullptr) { - req_wrap->Dispose(); -- req_wrap = nullptr; -+ req_wrap.release(); - } - - const char* msg = Error(); -@@ -232,7 +232,7 @@ inline StreamWriteResult StreamBase::Write( - ClearError(); - } - -- return StreamWriteResult { async, err, req_wrap, total_bytes }; -+ return StreamWriteResult { async, err, req_wrap.release(), total_bytes }; - } - - template -diff --git a/src/stream_base.h b/src/stream_base.h -index 65abd4d..3e922a4 100644 ---- a/src/stream_base.h -+++ b/src/stream_base.h -@@ -215,10 +215,11 @@ class StreamResource { - virtual int DoTryWrite(uv_buf_t** bufs, size_t* count); - // Perform a write of data, and either call req_wrap->Done() when finished - // and return 0, or return a libuv error code for synchronous failures. -- virtual int DoWrite(WriteWrap* w, -- uv_buf_t* bufs, -- size_t count, -- uv_stream_t* send_handle) = 0; -+ virtual int DoWrite( -+ /* NOLINT (runtime/references) */ std::unique_ptr& w, -+ uv_buf_t* bufs, -+ size_t count, -+ uv_stream_t* send_handle) = 0; - - // Returns true if the stream supports the `OnStreamWantsWrite()` interface. - virtual bool HasWantsWrite() const { return false; } -diff --git a/src/stream_wrap.cc b/src/stream_wrap.cc -index 10444fe..bd512e3 100644 ---- a/src/stream_wrap.cc -+++ b/src/stream_wrap.cc -@@ -351,11 +351,11 @@ int LibuvStreamWrap::DoTryWrite(uv_buf_t** bufs, size_t* count) { - } - - --int LibuvStreamWrap::DoWrite(WriteWrap* req_wrap, -+int LibuvStreamWrap::DoWrite(std::unique_ptr& req_wrap, - uv_buf_t* bufs, - size_t count, - uv_stream_t* send_handle) { -- LibuvWriteWrap* w = static_cast(req_wrap); -+ LibuvWriteWrap* w = static_cast(req_wrap.get()); - int r; - if (send_handle == nullptr) { - r = w->Dispatch(uv_write, stream(), bufs, count, AfterUvWrite); -diff --git a/src/stream_wrap.h b/src/stream_wrap.h -index 98f0ca4..3c00d33 100644 ---- a/src/stream_wrap.h -+++ b/src/stream_wrap.h -@@ -51,7 +51,7 @@ class LibuvStreamWrap : public HandleWrap, public StreamBase { - // Resource implementation - int DoShutdown(ShutdownWrap* req_wrap) override; - int DoTryWrite(uv_buf_t** bufs, size_t* count) override; -- int DoWrite(WriteWrap* w, -+ int DoWrite(std::unique_ptr& w, - uv_buf_t* bufs, - size_t count, - uv_stream_t* send_handle) override; -diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc -index ce46e21..65ea884 100644 ---- a/src/tls_wrap.cc -+++ b/src/tls_wrap.cc -@@ -91,8 +91,7 @@ bool TLSWrap::InvokeQueued(int status, const char* error_str) { - return false; - - if (current_write_ != nullptr) { -- WriteWrap* w = current_write_; -- current_write_ = nullptr; -+ WriteWrap* w = current_write_.release(); - w->Done(status, error_str); - } - -@@ -617,7 +616,7 @@ void TLSWrap::ClearError() { - - - // Called by StreamBase::Write() to request async write of clear text into SSL. --int TLSWrap::DoWrite(WriteWrap* w, -+int TLSWrap::DoWrite(std::unique_ptr& w, - uv_buf_t* bufs, - size_t count, - uv_stream_t* send_handle) { -@@ -651,7 +650,7 @@ int TLSWrap::DoWrite(WriteWrap* w, - if (BIO_pending(enc_out_) == 0) { - Debug(this, "No pending encrypted output, writing to underlying stream"); - CHECK_NULL(current_empty_write_); -- current_empty_write_ = w; -+ current_empty_write_ = w.get(); - StreamWriteResult res = - underlying_stream()->Write(bufs, count, send_handle); - if (!res.async) { -@@ -666,7 +665,7 @@ int TLSWrap::DoWrite(WriteWrap* w, - - // Store the current write wrap - CHECK_NULL(current_write_); -- current_write_ = w; -+ current_write_ = std::move(w); - - // Write encrypted data to underlying stream and call Done(). - if (length == 0) { -@@ -705,7 +704,7 @@ int TLSWrap::DoWrite(WriteWrap* w, - // If we stopped writing because of an error, it's fatal, discard the data. - if (!arg.IsEmpty()) { - Debug(this, "Got SSL error (%d), returning UV_EPROTO", err); -- current_write_ = nullptr; -+ current_write_.release(); - return UV_EPROTO; - } - -@@ -718,6 +717,8 @@ int TLSWrap::DoWrite(WriteWrap* w, - // Write any encrypted/handshake output that may be ready. - EncOut(); - -+ w.reset(current_write_.get()); -+ - return 0; - } - -diff --git a/src/tls_wrap.h b/src/tls_wrap.h -index bfcf07b..e2e748b 100644 ---- a/src/tls_wrap.h -+++ b/src/tls_wrap.h -@@ -67,7 +67,7 @@ class TLSWrap : public AsyncWrap, - ShutdownWrap* CreateShutdownWrap( - v8::Local req_wrap_object) override; - int DoShutdown(ShutdownWrap* req_wrap) override; -- int DoWrite(WriteWrap* w, -+ int DoWrite(std::unique_ptr& w, - uv_buf_t* bufs, - size_t count, - uv_stream_t* send_handle) override; -@@ -170,7 +170,7 @@ class TLSWrap : public AsyncWrap, - // Waiting for ClearIn() to pass to SSL_write(). - std::vector pending_cleartext_input_; - size_t write_size_ = 0; -- WriteWrap* current_write_ = nullptr; -+ std::unique_ptr current_write_ = nullptr; - WriteWrap* current_empty_write_ = nullptr; - bool write_callback_scheduled_ = false; - bool started_ = false; --- -2.23.0 - diff --git a/CVE-2020-8287.patch b/CVE-2020-8287.patch deleted file mode 100644 index 2d3e08c4f70572a81c95f2997277459cdf4059f4..0000000000000000000000000000000000000000 --- a/CVE-2020-8287.patch +++ /dev/null @@ -1,78 +0,0 @@ -From fc70ce08f5818a286fb5899a1bc3aff5965a745e Mon Sep 17 00:00:00 2001 -From: Fedor Indutny -Date: Wed, 18 Nov 2020 20:50:21 -0800 -Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding` - -Duplicate `Transfer-Encoding` header should be a treated as a single, -but with original header values concatenated with a comma separator. In -the light of this, even if the past `Transfer-Encoding` ended with -`chunked`, we should be not let the `F_CHUNKED` to leak into the next -header, because mere presence of another header indicates that `chunked` -is not the last transfer-encoding token. - -CVE-ID: CVE-2020-8287 -PR-URL: https://github.com/nodejs-private/node-private/pull/235 -Reviewed-By: Fedor Indutny -Reference: https://github.com/nodejs/node/commit/fc70ce08f5818a286fb5899a1bc3aff5965a745e ---- - deps/http_parser/http_parser.c | 7 +++++++ - deps/http_parser/test.c | 26 ++++++++++++++++++++++++++ - 2 files changed, 33 insertions(+) - -diff --git a/deps/http_parser/http_parser.c b/deps/http_parser/http_parser.c -index 0f76b6a..5cc951a 100644 ---- a/deps/http_parser/http_parser.c -+++ b/deps/http_parser/http_parser.c -@@ -1339,6 +1339,13 @@ reexecute: - } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) { - parser->header_state = h_transfer_encoding; - parser->flags |= F_TRANSFER_ENCODING; -+ -+ /* Multiple `Transfer-Encoding` headers should be treated as -+ * one, but with values separate by a comma. -+ * -+ * See: https://tools.ietf.org/html/rfc7230#section-3.2.2 -+ */ -+ parser->flags &= ~F_CHUNKED; - } - break; - -diff --git a/deps/http_parser/test.c b/deps/http_parser/test.c -index c979467..f185c56 100644 ---- a/deps/http_parser/test.c -+++ b/deps/http_parser/test.c -@@ -2045,6 +2045,32 @@ const struct message responses[] = - ,.body= "2\r\nOK\r\n0\r\n\r\n" - ,.num_chunks_complete= 0 - } -+#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30 -+, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding" -+ ,.type= HTTP_RESPONSE -+ ,.raw= "HTTP/1.1 200 OK\r\n" -+ "Transfer-Encoding: chunked\r\n" -+ "Transfer-Encoding: identity\r\n" -+ "\r\n" -+ "2\r\n" -+ "OK\r\n" -+ "0\r\n" -+ "\r\n" -+ ,.should_keep_alive= FALSE -+ ,.message_complete_on_eof= TRUE -+ ,.http_major= 1 -+ ,.http_minor= 1 -+ ,.status_code= 200 -+ ,.response_status= "OK" -+ ,.content_length= -1 -+ ,.num_headers= 2 -+ ,.headers= -+ { { "Transfer-Encoding", "chunked" } -+ , { "Transfer-Encoding", "identity" } -+ } -+ ,.body= "2\r\nOK\r\n0\r\n\r\n" -+ ,.num_chunks_complete= 0 -+ } - }; - - /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so --- -2.23.0 diff --git a/CVE-2021-22883.patch b/CVE-2021-22883.patch deleted file mode 100644 index 9beac8204c721d8bb11ed782267fafe55c0ad529..0000000000000000000000000000000000000000 --- a/CVE-2021-22883.patch +++ /dev/null @@ -1,229 +0,0 @@ -From 3f2e9dc40c9964965b075c00719829f9bb17e65f Mon Sep 17 00:00:00 2001 -From: Daniel Bevenius -Date: Fri, 22 Jan 2021 12:34:21 +0100 -Subject: [PATCH] http2: add unknownProtocol timeout -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This commit add a configuration options named unknownProtocolTimeout -which can be specified to set a value for the timeout in milliseconds -that a server should wait when an unknowProtocol is sent to it. When -this happens a timer will be started and the if the socket has not been -destroyed during that time the timer callback will destoy it. - -CVE-ID: CVE-2021-22883 -Refs: https://hackerone.com/reports/1043360 -PR-URL: https://github.com/nodejs/node/pull/246 -Backport PR-URL: https://github.com/nodejs/node/pull/248 -Reviewed-By: Beth Griggs -Reviewed-By: Matteo Collina -Reviewed-By: Michael Dawson -Reviewed-By: Rich Trott -Reviewed-By: Tobias Nießen -Reference: https://github.com/nodejs/node/commit/3f2e9dc40c9964965b075c00719829f9bb17e65f ---- - doc/api/http2.md | 25 +++++++++++++- - lib/internal/http2/core.js | 32 +++++++++++++++--- - .../test-http2-server-unknown-protocol.js | 33 +++++++++++++++++++ - 3 files changed, 85 insertions(+), 5 deletions(-) - create mode 100644 test/parallel/test-http2-server-unknown-protocol.js - -diff --git a/doc/api/http2.md b/doc/api/http2.md -index bb0ac52..9d0c258 100644 ---- a/doc/api/http2.md -+++ b/doc/api/http2.md -@@ -1864,7 +1864,9 @@ added: v8.4.0 - The `'unknownProtocol'` event is emitted when a connecting client fails to - negotiate an allowed protocol (i.e. HTTP/2 or HTTP/1.1). The event handler - receives the socket for handling. If no listener is registered for this event, --the connection is terminated. See the [Compatibility API][]. -+the connection is terminated. A timeout may be specified using the -+`'unknownProtocolTimeout'` option passed to [`http2.createSecureServer()`][]. -+See the [Compatibility API][]. - - #### server.close([callback]) -