fix CVE-2022-30974 CVE-2022-30975

(cherry picked from commit 00909060aee6fdf2577bf1576131a73a9829329b)
2022-09-27 10:41:35 +08:00 · 2022-09-27 10:41:35 +08:00 · e9d9c58dc3
commit e9d9c58dc3
parent e4ebbda096
4 changed files with 157 additions and 1 deletions
--- a/0001-Issue-162-Check-stack-overflow-during-regexp-compila.patch
+++ b/0001-Issue-162-Check-stack-overflow-during-regexp-compila.patch
@ -0,0 +1,64 @@
+From 160ae29578054dc09fd91e5401ef040d52797e61 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 17 May 2022 15:31:50 +0200
+Subject: [PATCH 1/3] Issue #162: Check stack overflow during regexp
+ compilation.
+
+Only bother checking during the first compilation pass that counts
+the size of the program.
+---
+ regexp.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/regexp.c b/regexp.c
+index 9d16867..8a43fef 100644
+--- a/regexp.c
+++ b/regexp.c
+@@ -622,25 +622,26 @@ struct Reinst {
+ 	Reinst *y;
+ };
+ 
+-static int count(struct cstate *g, Renode *node)
+static int count(struct cstate *g, Renode *node, int depth)
+ {
+ 	int min, max, n;
+ 	if (!node) return 0;
+	if (++depth > REG_MAXREC) die(g, "stack overflow");
+ 	switch (node->type) {
+ 	default: return 1;
+-	case P_CAT: return count(g, node->x) + count(g, node->y);
+-	case P_ALT: return count(g, node->x) + count(g, node->y) + 2;
+	case P_CAT: return count(g, node->x, depth) + count(g, node->y, depth);
+	case P_ALT: return count(g, node->x, depth) + count(g, node->y, depth) + 2;
+ 	case P_REP:
+ 		min = node->m;
+ 		max = node->n;
+-		if (min == max) n = count(g, node->x) * min;
+-		else if (max < REPINF) n = count(g, node->x) * max + (max - min);
+-		else n = count(g, node->x) * (min + 1) + 2;
+		if (min == max) n = count(g, node->x, depth) * min;
+		else if (max < REPINF) n = count(g, node->x, depth) * max + (max - min);
+		else n = count(g, node->x, depth) * (min + 1) + 2;
+ 		if (n < 0 || n > REG_MAXPROG) die(g, "program too large");
+ 		return n;
+-	case P_PAR: return count(g, node->x) + 2;
+-	case P_PLA: return count(g, node->x) + 2;
+-	case P_NLA: return count(g, node->x) + 2;
+	case P_PAR: return count(g, node->x, depth) + 2;
+	case P_PLA: return count(g, node->x, depth) + 2;
+	case P_NLA: return count(g, node->x, depth) + 2;
+ 	}
+ }
+ 
+@@ -903,7 +904,7 @@ Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
+ 	putchar('\n');
+ #endif
+ 
+-	n = 6 + count(&g, node);
+	n = 6 + count(&g, node, 0);
+ 	if (n < 0 || n > REG_MAXPROG)
+ 		die(&g, "program too large");
+ 
+-- 
+2.20.1
+
--- a/0002-Issue-161-Don-t-fclose-a-FILE-that-is-NULL.patch
+++ b/0002-Issue-161-Don-t-fclose-a-FILE-that-is-NULL.patch
@ -0,0 +1,25 @@
+From 910acc807c3c057e1c0726160808f3a9f37b40ec Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 17 May 2022 15:53:30 +0200
+Subject: [PATCH 2/3] Issue #161: Don't fclose a FILE that is NULL.
+
+---
+ pp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pp.c b/pp.c
+index bf6000c..2657369 100644
+--- a/pp.c
+++ b/pp.c
+@@ -34,7 +34,7 @@ void js_ppfile(js_State *J, const char *filename, int minify)
+ 
+ 	if (js_try(J)) {
+ 		js_free(J, s);
+-		fclose(f);
+		if (f) fclose(f);
+ 		js_throw(J);
+ 	}
+ 
+-- 
+2.20.1
+
--- a/0003-Issue-161-Cope-with-empty-programs-in-mujs-pp.patch
+++ b/0003-Issue-161-Cope-with-empty-programs-in-mujs-pp.patch
@ -0,0 +1,54 @@
+From f5b3c703e18725e380b83427004632e744f85a6f Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 17 May 2022 15:57:00 +0200
+Subject: [PATCH 3/3] Issue #161: Cope with empty programs in mujs-pp.
+
+---
+ jsdump.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+diff --git a/jsdump.c b/jsdump.c
+index 86361e6..42c9f0f 100644
+--- a/jsdump.c
+++ b/jsdump.c
+@@ -682,11 +682,13 @@ static void pstmlist(int d, js_Ast *list)
+ void jsP_dumpsyntax(js_State *J, js_Ast *prog, int dominify)
+ {
+ 	minify = dominify;
+-	if (prog->type == AST_LIST)
+-		pstmlist(-1, prog);
+-	else {
+-		pstm(0, prog);
+-		nl();
+	if (prog) {
+		if (prog->type == AST_LIST)
+			pstmlist(-1, prog);
+		else {
+			pstm(0, prog);
+			nl();
+		}
+ 	}
+ 	if (minify > 1)
+ 		putchar('\n');
+@@ -768,11 +770,13 @@ static void sblock(int d, js_Ast *list)
+ void jsP_dumplist(js_State *J, js_Ast *prog)
+ {
+ 	minify = 0;
+-	if (prog->type == AST_LIST)
+-		sblock(0, prog);
+-	else
+-		snode(0, prog);
+-	nl();
+	if (prog) {
+		if (prog->type == AST_LIST)
+			sblock(0, prog);
+		else
+			snode(0, prog);
+		nl();
+	}
+ }
+ 
+ /* Compiled code */
+-- 
+2.20.1
+
--- a/mujs.spec
+++ b/mujs.spec
@ -1,6 +1,6 @@
 Name:           mujs
 Version:        1.2.0
-Release:        1
+Release:        2
 Summary:        An embeddable Javascript interpreter
 License:        ISC
 URL:            http://mujs.com/
@ -8,6 +8,12 @@ URL:            http://mujs.com/
 # Github mirror of mujs.com repository provides releases from tags
 Source0:        https://mujs.com/downloads/mujs-%{version}.tar.gz

+# CVE-2022-30974
+Patch0001:      0001-Issue-162-Check-stack-overflow-during-regexp-compila.patch
+Patch0002:      0002-Issue-161-Don-t-fclose-a-FILE-that-is-NULL.patch
+# CVE-2022-30975
+Patch0003:      0003-Issue-161-Cope-with-empty-programs-in-mujs-pp.patch
+
 BuildRequires:  coreutils
 BuildRequires:  gcc
 BuildRequires:  grep
@ -29,6 +35,10 @@ This package provides the MuJS static library.
 %setup -q -n %{name}-%{version}
 chmod a-x -v docs/*

+%patch0001 -p1
+%patch0002 -p1
+%patch0003 -p1
+
 %build
 make debug %{?_smp_mflags} XCFLAGS="%{optflags} -fPIC" LDFLAGS="%{?__global_ldflags}"

@ -49,6 +59,9 @@ make install DESTDIR=%{buildroot} prefix="%{_prefix}" libdir="%{_libdir}" \
 %{_libdir}/lib%{name}.a

 %changelog
+* Tue Sep 27 2022 liweiganga <liweiganga@uniontech.com> - 1.2.0-2
+- fix: fix CVE-2022-30974 CVE-2022-30974
+
 * Mon Sep 26 2022 liweiganga <liweiganga@uniontech.com> - 1.2.0-1
 - upstream release 1.2.0
 - fix: fix CVE-2016-10141、CVE-2016-7504、CVE-2016-9136、CVE-2017-5628、CVE-2016-9017、\