File fix-upstream-CVE-2022-42010.patch of Package dbus-1-x11

Overview Repositories Revisions Requests Users Attributes Meta

File fix-upstream-CVE-2022-42010.patch of Package dbus-1-x11 (Revision 0985657dab80d85437d4085ba677756e)

Currently displaying revision 0985657dab80d85437d4085ba677756e , Show latest

commit 9d07424e9011e3bbe535e83043d335f3093d2916
Author: Simon McVittie <smcv@collabora.com>
Date:   Tue Sep 13 15:10:22 2022 +0100

dbus-marshal-validate: Check brackets in signature nest correctly
    
    In debug builds with assertions enabled, a signature with incorrectly
    nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result
    in an assertion failure.
    
    In production builds without assertions enabled, a signature with
    incorrectly nested `()` and `{}` could potentially result in a crash
    or incorrect message parsing, although we do not have a concrete example
    of either of these failure modes.
    
    Thanks: Evgeny Vereshchagin
    Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
    Resolves: CVE-2022-42010
    Signed-off-by: Simon McVittie <smcv@collabora.com>

diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
index 4d492f3f..ae68414d 100644
--- a/dbus/dbus-marshal-validate.c
+++ b/dbus/dbus-marshal-validate.c
@@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
 
   int element_count;
   DBusList *element_count_stack;
+  char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' };
+  char last_bracket;
 
   result = DBUS_VALID;
   element_count_stack = NULL;
@@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
 
   while (p != end)
     {
+      _dbus_assert (struct_depth + dict_entry_depth >= 0);
+      _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
+      _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0');
+
       switch (*p)
         {
         case DBUS_TYPE_BYTE:
@@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
               goto out;
             }
 
+          _dbus_assert (struct_depth + dict_entry_depth >= 1);
+          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
+          _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
+          opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR;
           break;
 
         case DBUS_STRUCT_END_CHAR:
@@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
               goto out;
             }
 
+          _dbus_assert (struct_depth + dict_entry_depth >= 1);
+          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
+          last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
+
+          if (last_bracket != DBUS_STRUCT_BEGIN_CHAR)
+            {
+              result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED;
+              goto out;
+            }
+
           _dbus_list_pop_last (&element_count_stack);
 
           struct_depth -= 1;
+          opened_brackets[struct_depth + dict_entry_depth] = '\0';
           break;
 
         case DBUS_DICT_ENTRY_BEGIN_CHAR:
@@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
               goto out;
             }
 
+          _dbus_assert (struct_depth + dict_entry_depth >= 1);
+          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
+          _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
+          opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR;
           break;
 
         case DBUS_DICT_ENTRY_END_CHAR:
@@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
               result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
               goto out;
             }
-            
+
+          _dbus_assert (struct_depth + dict_entry_depth >= 1);
+          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
+          last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
+
+          if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR)
+            {
+              result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
+              goto out;
+            }
+
           dict_entry_depth -= 1;
+          opened_brackets[struct_depth + dict_entry_depth] = '\0';
 
           element_count = 
             _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack));

Places

File fix-upstream-CVE-2022-42010.patch of Package dbus-1-x11 (Revision 0985657dab80d85437d4085ba677756e)

Places