fix CVE-2022-30974 CVE-2022-30975

(cherry picked from commit 00909060aee6fdf2577bf1576131a73a9829329b)
2022-09-27 10:41:35 +08:00 · 2022-09-27 10:41:35 +08:00 · e9d9c58dc3
commit e9d9c58dc3
parent e4ebbda096
4 changed files with 157 additions and 1 deletions
--- a/0001-Issue-162-Check-stack-overflow-during-regexp-compila.patch
+++ b/0001-Issue-162-Check-stack-overflow-during-regexp-compila.patch
@ -0,0 +1,64 @@
 From 160ae29578054dc09fd91e5401ef040d52797e61 Mon Sep 17 00:00:00 2001
 From: Tor Andersson <tor.andersson@artifex.com>
 Date: Tue, 17 May 2022 15:31:50 +0200
 Subject: [PATCH 1/3] Issue #162: Check stack overflow during regexp
 compilation.
 Only bother checking during the first compilation pass that counts
 the size of the program.
 ---
 regexp.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)
 diff --git a/regexp.c b/regexp.c
 index 9d16867..8a43fef 100644
 --- a/regexp.c
 +++ b/regexp.c
@@ -622,25 +622,26 @@ struct Reinst {
 	Reinst *y;
 };
 -static int count(struct cstate *g, Renode *node)
 +static int count(struct cstate *g, Renode *node, int depth)
 {
 	int min, max, n;
 	if (!node) return 0;
 +	if (++depth > REG_MAXREC) die(g, "stack overflow");
 	switch (node->type) {
 	default: return 1;
 -	case P_CAT: return count(g, node->x) + count(g, node->y);
 -	case P_ALT: return count(g, node->x) + count(g, node->y) + 2;
 +	case P_CAT: return count(g, node->x, depth) + count(g, node->y, depth);
 +	case P_ALT: return count(g, node->x, depth) + count(g, node->y, depth) + 2;
 	case P_REP:
 		min = node->m;
 		max = node->n;
 -		if (min == max) n = count(g, node->x) * min;
 -		else if (max < REPINF) n = count(g, node->x) * max + (max - min);
 -		else n = count(g, node->x) * (min + 1) + 2;
 +		if (min == max) n = count(g, node->x, depth) * min;
 +		else if (max < REPINF) n = count(g, node->x, depth) * max + (max - min);
 +		else n = count(g, node->x, depth) * (min + 1) + 2;
 		if (n < 0 || n > REG_MAXPROG) die(g, "program too large");
 		return n;
 -	case P_PAR: return count(g, node->x) + 2;
 -	case P_PLA: return count(g, node->x) + 2;
 -	case P_NLA: return count(g, node->x) + 2;
 +	case P_PAR: return count(g, node->x, depth) + 2;
 +	case P_PLA: return count(g, node->x, depth) + 2;
 +	case P_NLA: return count(g, node->x, depth) + 2;
 	}
 }
@@ -903,7 +904,7 @@ Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
 	putchar('\n');
 #endif
 -	n = 6 + count(&g, node);
 +	n = 6 + count(&g, node, 0);
 	if (n < 0 || n > REG_MAXPROG)
 		die(&g, "program too large");
 -- 
 2.20.1
--- a/0002-Issue-161-Don-t-fclose-a-FILE-that-is-NULL.patch
+++ b/0002-Issue-161-Don-t-fclose-a-FILE-that-is-NULL.patch
@ -0,0 +1,25 @@
 From 910acc807c3c057e1c0726160808f3a9f37b40ec Mon Sep 17 00:00:00 2001
 From: Tor Andersson <tor.andersson@artifex.com>
 Date: Tue, 17 May 2022 15:53:30 +0200
 Subject: [PATCH 2/3] Issue #161: Don't fclose a FILE that is NULL.
 ---
 pp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/pp.c b/pp.c
 index bf6000c..2657369 100644
 --- a/pp.c
 +++ b/pp.c
@@ -34,7 +34,7 @@ void js_ppfile(js_State *J, const char *filename, int minify)
 	if (js_try(J)) {
 		js_free(J, s);
 -		fclose(f);
 +		if (f) fclose(f);
 		js_throw(J);
 	}
 -- 
 2.20.1
--- a/0003-Issue-161-Cope-with-empty-programs-in-mujs-pp.patch
+++ b/0003-Issue-161-Cope-with-empty-programs-in-mujs-pp.patch
@ -0,0 +1,54 @@
 From f5b3c703e18725e380b83427004632e744f85a6f Mon Sep 17 00:00:00 2001
 From: Tor Andersson <tor.andersson@artifex.com>
 Date: Tue, 17 May 2022 15:57:00 +0200
 Subject: [PATCH 3/3] Issue #161: Cope with empty programs in mujs-pp.
 ---
 jsdump.c | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)
 diff --git a/jsdump.c b/jsdump.c
 index 86361e6..42c9f0f 100644
 --- a/jsdump.c
 +++ b/jsdump.c
@@ -682,11 +682,13 @@ static void pstmlist(int d, js_Ast *list)
 void jsP_dumpsyntax(js_State *J, js_Ast *prog, int dominify)
 {
 	minify = dominify;
 -	if (prog->type == AST_LIST)
 -		pstmlist(-1, prog);
 -	else {
 -		pstm(0, prog);
 -		nl();
 +	if (prog) {
 +		if (prog->type == AST_LIST)
 +			pstmlist(-1, prog);
 +		else {
 +			pstm(0, prog);
 +			nl();
 +		}
 	}
 	if (minify > 1)
 		putchar('\n');
@@ -768,11 +770,13 @@ static void sblock(int d, js_Ast *list)
 void jsP_dumplist(js_State *J, js_Ast *prog)
 {
 	minify = 0;
 -	if (prog->type == AST_LIST)
 -		sblock(0, prog);
 -	else
 -		snode(0, prog);
 -	nl();
 +	if (prog) {
 +		if (prog->type == AST_LIST)
 +			sblock(0, prog);
 +		else
 +			snode(0, prog);
 +		nl();
 +	}
 }
 /* Compiled code */
 -- 
 2.20.1
--- a/mujs.spec
+++ b/mujs.spec
@ -1,6 +1,6 @@
 Name:           mujs
 Version:        1.2.0
-Release:        1
+Release:        2
 Summary:        An embeddable Javascript interpreter
 License:        ISC
 URL:            http://mujs.com/
@ -8,6 +8,12 @@ URL:            http://mujs.com/
 # Github mirror of mujs.com repository provides releases from tags
 Source0:        https://mujs.com/downloads/mujs-%{version}.tar.gz
 # CVE-2022-30974
 Patch0001:      0001-Issue-162-Check-stack-overflow-during-regexp-compila.patch
 Patch0002:      0002-Issue-161-Don-t-fclose-a-FILE-that-is-NULL.patch
 # CVE-2022-30975
 Patch0003:      0003-Issue-161-Cope-with-empty-programs-in-mujs-pp.patch
 BuildRequires:  coreutils
 BuildRequires:  gcc
 BuildRequires:  grep
@ -29,6 +35,10 @@ This package provides the MuJS static library.
 %setup -q -n %{name}-%{version}
 chmod a-x -v docs/*
 %patch0001 -p1
 %patch0002 -p1
 %patch0003 -p1
 %build
 make debug %{?_smp_mflags} XCFLAGS="%{optflags} -fPIC" LDFLAGS="%{?__global_ldflags}"
@ -49,6 +59,9 @@ make install DESTDIR=%{buildroot} prefix="%{_prefix}" libdir="%{_libdir}" \
 %{_libdir}/lib%{name}.a
 %changelog
 * Tue Sep 27 2022 liweiganga <liweiganga@uniontech.com> - 1.2.0-2
 - fix: fix CVE-2022-30974 CVE-2022-30974
 * Mon Sep 26 2022 liweiganga <liweiganga@uniontech.com> - 1.2.0-1
 - upstream release 1.2.0
 - fix: fix CVE-2016-10141、CVE-2016-7504、CVE-2016-9136、CVE-2017-5628、CVE-2016-9017、\