File fix-upstream-CVE-2022-31213.patch of Package dbus-broker
From 8b82a8cf51b6b85ae343e2e7842edd06b8cb0798 Mon Sep 17 00:00:00 2001
From: David Rheinsberg <david.rheinsberg@gmail.com>
Date: Thu, 12 May 2022 13:06:00 +0200
Subject: [PATCH] c-shquote: avoid calls to mem*() with NULL
The different mem*() functions from the standard library do not allow
NULL with empty areas. Use the replacements from c-stdaux or guard
against such calls properly.
Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
---
subprojects/c-shquote/src/c-shquote.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
Index: dbus-broker-28/subprojects/c-shquote/src/c-shquote.c
===================================================================
--- dbus-broker-28.orig/subprojects/c-shquote/src/c-shquote.c
+++ dbus-broker-28/subprojects/c-shquote/src/c-shquote.c
@@ -28,7 +28,7 @@ int c_shquote_append_str(char **outp,
if (n_in > *n_outp)
return C_SHQUOTE_E_NO_SPACE;
- memcpy(*outp, in, n_in);
+ c_memcpy(*outp, in, n_in);
*outp += n_in;
*n_outp -= n_in;
@@ -103,9 +103,10 @@ size_t c_shquote_strncspn(const char *st
bool buffer[UCHAR_MAX + 1] = {};
if (strlen(reject) == 1) {
- const char *p;
+ const char *p = NULL;
- p = memchr(string, reject[0], n_string);
+ if (n_string > 0)
+ p = memchr(string, reject[0], n_string);
if (!p)
return n_string;
else
@@ -600,7 +601,7 @@ _c_public_ int c_shquote_parse_argv(char
char *out;
int r;
- if (memchr(input, '\0', n_input))
+ if (n_input > 0 && memchr(input, '\0', n_input))
return C_SHQUOTE_E_CONTAINS_NULL;
buffer = malloc(n_input + 1);
@@ -651,7 +652,7 @@ _c_public_ int c_shquote_parse_argv(char
return -ENOMEM;
out = (char *)(argv + argc + 1);
- memcpy(out, buffer, n_out);
+ c_memcpy(out, buffer, n_out);
/*
* We now have the argv-array pre-allocated and the tokenized strings
Index: dbus-broker-28/subprojects/c-stdaux/src/c-stdaux.h
===================================================================
--- dbus-broker-28.orig/subprojects/c-stdaux/src/c-stdaux.h
+++ dbus-broker-28/subprojects/c-stdaux/src/c-stdaux.h
@@ -470,6 +470,57 @@ static inline int c_errno(void) {
return _c_likely_(errno > 0) ? errno : ENOTRECOVERABLE;
}
+/**
+ * c_memset() - Fill memory region with constant byte
+ * @p: Pointer to memory region, if non-empty
+ * @c: Value to fill with
+ * @n: Size of the memory region in bytes
+ *
+ * This function works like ``memset(3)`` if ``n`` is non-zero. If ``n`` is
+ * zero, this function is a no-op. Therefore, unlike ``memset(3)`` it is safe
+ * to call this function with ``NULL`` as ``p`` if ``n`` is 0.
+ *
+ * Return: ``p`` is returned.
+ */
+static inline void *c_memset(void *p, int c, size_t n) {
+ if (n > 0)
+ memset(p, c, n);
+ return p;
+}
+
+/**
+ * c_memzero() - Clear memory area
+ * @p: Pointer to memory region, if non-empty
+ * @n: Size of the memory region in bytes
+ *
+ * Clear a memory area to 0. If the memory area is empty, this is a no-op.
+ * Similar to ``c_memset()``, this function allows ``p`` to be ``NULL`` if the
+ * area is empty.
+ *
+ * Return: ``p`` is returned.
+ */
+static inline void *c_memzero(void *p, size_t n) {
+ return c_memset(p, 0, n);
+}
+
+/**
+ * c_memcpy() - Copy memory area
+ * @dst: Pointer to target area
+ * @src: Pointer to source area
+ * @n: Length of area to copy
+ *
+ * Copy the memory of size ``n`` from ``src`` to ``dst``, just as ``memcpy(3)``
+ * does, except this function allows either to be ``NULL`` if ``n`` is zero. In
+ * the latter case, the operation is a no-op.
+ *
+ * Return: ``p`` is returned.
+ */
+static inline void *c_memcpy(void *dst, const void *src, size_t n) {
+ if (n > 0)
+ memcpy(dst, src, n);
+ return dst;
+}
+
/*
* Common Destructors
*
