packages/libpsl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix overflow and Avoid 'NULL + 1'

Browse Source
This commit is contained in:
shixuantong 2024-04-15 10:41:54 +08:00
parent 27343f84f4
commit 10e27df36d
5 changed files with 392 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
backport-Avoid-8bit-overflow-in-is_public_suffix.patch Normal file
View File

@ -0,0 +1,29 @@
From 55d0ae04dea0856311b05ea03567d65bf8b9e45d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Sun, 16 Jan 2022 12:51:33 +0100
Subject: [PATCH] Avoid 8bit overflow in is_public_suffix()
---
src/psl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/psl.c b/src/psl.c
index be95602..8e7a9e8 100644
--- a/src/psl.c
+++ b/src/psl.c
@@ -835,8 +835,11 @@ static int is_public_suffix(const psl_ctx_t *psl, const char *domain, int type)
suffix.nlabels = 1;
for (p = domain; *p; p++) {
- if (*p == '.')
+ if (*p == '.') {
+ if (suffix.nlabels == 255) // weird input, avoid 8bit overflow
+ return 0;
suffix.nlabels++;
+ }
else if (*((unsigned char *)p) >= 128)
need_conversion = 1; /* in case domain is non-ascii we need a toASCII conversion */
}
--
2.27.0

37
backport-Avoid-NULL-add-1-as-it-is-UB.patch Normal file
View File

@ -0,0 +1,37 @@
From 21d2d5191160439544150c017216f751c2c392fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Sun, 16 Jan 2022 12:55:51 +0100
Subject: [PATCH] Avoid 'NULL + 1' as it is UB
---
src/psl.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/psl.c b/src/psl.c
index 8e7a9e8..f85a895 100644
--- a/src/psl.c
+++ b/src/psl.c
@@ -568,7 +568,7 @@ static int domain_to_punycode(const char *domain, char *out, size_t outsize)
punycode_uint input[256];
const char *label, *e;
- for (e = label = domain; e; label = e + 1) {
+ for (e = label = domain; e;) {
e = strchr(label, '.');
labellen = e ? (size_t) (e - label) : strlen(label);
@@ -596,8 +596,10 @@ static int domain_to_punycode(const char *domain, char *out, size_t outsize)
outlen += labellen;
}
- if (e)
+ if (e) {
+ label = e + 1;
out[outlen++] = '.';
+ }
out[outlen] = 0;
}
--
2.27.0

29
backport-Fix-stack-buffer-overflow-WRITE-1-in-domain_to_punycode.patch Normal file
View File

@ -0,0 +1,29 @@
From 1023a9ad12d146608ba6326a3114f9b23b812124 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Sat, 15 Jan 2022 22:38:32 +0100
Subject: [PATCH] Fix stack buffer overflow WRITE 1 in domain_to_punycode()
Reported-by: oss-fuzz (issue 39424 and issue 39226)
The affected code would only be built into the library when
configured to build without any IDNA library.
---
src/psl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/psl.c b/src/psl.c
index eefde3c..be95602 100644
--- a/src/psl.c
+++ b/src/psl.c
@@ -590,7 +590,7 @@ static int domain_to_punycode(const char *domain, char *out, size_t outsize)
memcpy(out + outlen, "xn--", 4);
outlen += 4;
- labellen = outsize - outlen - 1; // -1 to leave space for the trailing \0
+ labellen = outsize - outlen - (e != NULL) - 1; // -1 to leave space for the trailing \0
if (punycode_encode(inputlen, input, &labellen, out + outlen))
return 1;
outlen += labellen;
--
2.27.0

285
backport-Fix-write-buffer-overflow-by-1-in-domain_to_punycode.patch Normal file
View File

@ -0,0 +1,285 @@
From b2625f93f2dcb28ea6c4b33d4cb7ff50a24f3c00 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Sun, 26 Sep 2021 18:01:59 +0200
Subject: [PATCH] Fix write buffer overflow by 1 in domain_to_punycode()
This issue has been triggered after the previous commit increased
the size of label_buf.
It has been found by OSS-Fuzz (issue 39226).
The testcase is included into the unit tests.
---
...stcase-libpsl_load_fuzzer-5191070590304256 | 231 ++++++++++++++++++
src/psl.c | 5 +-
2 files changed, 232 insertions(+), 4 deletions(-)
create mode 100644 fuzz/libpsl_load_fuzzer.repro/clusterfuzz-testcase-libpsl_load_fuzzer-5191070590304256
diff --git a/fuzz/libpsl_load_fuzzer.repro/clusterfuzz-testcase-libpsl_load_fuzzer-5191070590304256 b/fuzz/libpsl_load_fuzzer.repro/clusterfuzz-testcase-libpsl_load_fuzzer-5191070590304256
new file mode 100644
index 0000000..9d276c1
--- /dev/null
+++ b/fuzz/libpsl_load_fuzzer.repro/clusterfuzz-testcase-libpsl_load_fuzzer-5191070590304256
@@ -0,0 +1,231 @@
+^^Z^^^^^^^^^^^^^^^^^^^^rRRRINS===
+com
+а
+зٰ
<>
Ը

+<2B>ؿ
+٫
+ϲ

+ڸϰ
+ϰԸ
+<2B>
+٫
+ϲ
+յ7뭏
+ڸϰ
+<2B>ۺ
+ѷ٫
+ϲ

+ڸϰ888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
+<2B>^^^^^^^^^^^^^^^^^^^<5E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>^^^^^^^^m^^^^N^<5E>
+ϰԸ
+һһ
+иظ
+ϰԸ
+<2B>
+һ
+ҹ
+ٰԸ
+٪٫
+ϲ

+ڸϰ
+ϰԸ
+<2B>
+<2B>
Ը

+<2B>ؿ
+׺Mй
+٫
+ϲ

+ڸϰ
+ϰԸ
+<2B>
+٫
+ϲ

+ڸϰ
+<2B>ۺ
+٫
+ϲ

+ڸϰ
+ϰԸ
+<2B>^^a^^^N^^^<5E>
+<2B>^^^^^^^<5E>^
+^^^<5E>
\ No newline at end of file
diff --git a/src/psl.c b/src/psl.c
index f1691e0..eefde3c 100644
--- a/src/psl.c
+++ b/src/psl.c
@@ -571,13 +571,11 @@ static int domain_to_punycode(const char *domain, char *out, size_t outsize)
for (e = label = domain; e; label = e + 1) {
e = strchr(label, '.');
labellen = e ? (size_t) (e - label) : strlen(label);
- /* printf("s=%s inlen=%zd\n", label, labellen); */
if (mem_is_ascii(label, labellen)) {
if (outlen + labellen + (e != NULL) >= outsize)
return 1;
- /* printf("outlen=%zd labellen=%zd\n", outlen, labellen); */
memcpy(out + outlen, label, labellen);
outlen += labellen;
} else {
@@ -592,8 +590,7 @@ static int domain_to_punycode(const char *domain, char *out, size_t outsize)
memcpy(out + outlen, "xn--", 4);
outlen += 4;
- labellen = outsize - outlen;
- /* printf("n=%zd space_left=%zd\n", n, labellen); */
+ labellen = outsize - outlen - 1; // -1 to leave space for the trailing \0
if (punycode_encode(inputlen, input, &labellen, out + outlen))
return 1;
outlen += labellen;
--
2.27.0

13
libpsl.spec
View File

@ -1,11 +1,16 @@
Name: libpsl Name: libpsl
Version: 0.21.1 Version: 0.21.1
Release: 5 Release: 7
Summary: C library to handle the Public Suffix List Summary: C library to handle the Public Suffix List
License: MIT License: MIT
URL: https://github.com/rockdaboot/libpsl URL: https://github.com/rockdaboot/libpsl
Source0: https://github.com/rockdaboot/libpsl/releases/download/%{version}/libpsl-%{version}.tar.gz Source0: https://github.com/rockdaboot/libpsl/releases/download/%{version}/libpsl-%{version}.tar.gz
Patch6000: backport-Fix-write-buffer-overflow-by-1-in-domain_to_punycode.patch
Patch6001: backport-Fix-stack-buffer-overflow-WRITE-1-in-domain_to_punycode.patch
Patch6002: backport-Avoid-8bit-overflow-in-is_public_suffix.patch
Patch6003: backport-Avoid-NULL-add-1-as-it-is-UB.patch
BuildRequires: gcc gtk-doc glib2-devel libxslt python3-devel chrpath BuildRequires: gcc gtk-doc glib2-devel libxslt python3-devel chrpath
BuildRequires: libicu-devel libidn2-devel publicsuffix-list libunistring-devel BuildRequires: libicu-devel libidn2-devel publicsuffix-list libunistring-devel
Requires: publicsuffix-list Requires: publicsuffix-list
@ -104,6 +109,12 @@ make check
%{_datadir}/gtk-doc/html/%{name} %{_datadir}/gtk-doc/html/%{name}
%changelog %changelog
* Mon Apr 15 2024 shixuantong <shixuantong1@huawei.com> - 0.21.1-7
- Fix write buffer overflow by 1 in domain_to_punycode()
- Fix stack buffer overflow WRITE 1 in domain_to_punycode()
- Avoid 8bit overflow in is_public_suffix()
- Avoid 'NULL + 1' as it is UB
* Thu Oct 20 2022 gaoruoshu <gaoruoshu@huawei.com> - 0.21.1-5 * Thu Oct 20 2022 gaoruoshu <gaoruoshu@huawei.com> - 0.21.1-5
- reformat spec - reformat spec