[AUTO-CHERRYPICK] rapidjson: fix CVE-2024-38517 and CVE-2024-39684 - branch main (#9897)

Co-authored-by: xiaohong <Xiaohong-Deng@users.noreply.github.com>
2024-07-25 16:00:36 -07:00 · 2024-07-25 16:00:36 -07:00 · f5e5df1bcf
--- a/SPECS/rapidjson/CVE-2024-38517.patch
+++ b/SPECS/rapidjson/CVE-2024-38517.patch
@ -0,0 +1,59 @@
+From 8269bc2bc289e9d343bae51cdf6d23ef0950e001 Mon Sep 17 00:00:00 2001
+From: Florin Malita <fmalita@gmail.com>
+Date: Tue, 15 May 2018 22:48:07 -0400
+Subject: [PATCH] Prevent int underflow when parsing exponents
+
+When parsing negative exponents, the current implementation takes
+precautions for |exp| to not underflow int.
+
+But that is not sufficient: later on [1], |exp + expFrac| is also
+stored to an int - so we must ensure that the sum stays within int
+representable values.
+
+Update the exp clamping logic to take expFrac into account.
+
+[1] https://github.com/Tencent/rapidjson/blob/master/include/rapidjson/reader.h#L1690
+---
+ include/rapidjson/reader.h   | 11 ++++++++++-
+ test/unittest/readertest.cpp |  1 +
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/include/rapidjson/reader.h b/include/rapidjson/reader.h
+index 7441eda4..f95aef42 100644
+--- a/include/rapidjson/reader.h
+++ b/include/rapidjson/reader.h
+@@ -1632,9 +1632,18 @@ private:
+             if (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) {
+                 exp = static_cast<int>(s.Take() - '0');
+                 if (expMinus) {
+                    // (exp + expFrac) must not underflow int => we're detecting when -exp gets
+                    // dangerously close to INT_MIN (a pessimistic next digit 9 would push it into
+                    // underflow territory):
+                    //
+                    //        -(exp * 10 + 9) + expFrac >= INT_MIN
+                    //   <=>  exp <= (expFrac - INT_MIN - 9) / 10
+                    RAPIDJSON_ASSERT(expFrac <= 0);
+                    int maxExp = (expFrac + 2147483639) / 10;
+
+                     while (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) {
+                         exp = exp * 10 + static_cast<int>(s.Take() - '0');
+-                        if (exp >= 214748364) {                         // Issue #313: prevent overflow exponent
+                        if (RAPIDJSON_UNLIKELY(exp > maxExp)) {
+                             while (RAPIDJSON_UNLIKELY(s.Peek() >= '0' && s.Peek() <= '9'))  // Consume the rest of exponent
+                                 s.Take();
+                         }
+diff --git a/test/unittest/readertest.cpp b/test/unittest/readertest.cpp
+index e5308019..c4800b93 100644
+--- a/test/unittest/readertest.cpp
+++ b/test/unittest/readertest.cpp
+@@ -242,6 +242,7 @@ static void TestParseDouble() {
+     TEST_DOUBLE(fullPrecision, "1e-214748363", 0.0);                                  // Maximum supported negative exponent
+     TEST_DOUBLE(fullPrecision, "1e-214748364", 0.0);
+     TEST_DOUBLE(fullPrecision, "1e-21474836311", 0.0);
+    TEST_DOUBLE(fullPrecision, "1.00000000001e-2147483638", 0.0);
+     TEST_DOUBLE(fullPrecision, "0.017976931348623157e+310", 1.7976931348623157e+308); // Max double in another form
+ 
+     // Since
+-- 
+2.34.1
+
--- a/SPECS/rapidjson/CVE-2024-39684.nopatch
+++ b/SPECS/rapidjson/CVE-2024-39684.nopatch
@ -0,0 +1 @@
+CVE-2024-39684 is a duplicate of CVE-2024-38517
--- a/SPECS/rapidjson/rapidjson.spec
+++ b/SPECS/rapidjson/rapidjson.spec
@ -1,7 +1,7 @@
 Summary:        A fast JSON parser/generator for C++ with both SAX/DOM style API
 Name:           rapidjson
 Version:        1.1.0
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        BSD and JSON and MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -11,6 +11,7 @@ Source0:        %{url}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Patch0:         0000-Supress-implicit-fallthrough-in-GCC.patch
 Patch1:         0001-Onley-apply-to-GCC-7.patch
 Patch2:         0002-Correct-object-copying-in-document_h.patch
+Patch3:         CVE-2024-38517.patch
 %global debug_package %{nil}
 BuildRequires:  cmake
 BuildRequires:  gcc
@ -52,6 +53,9 @@ make test
 %{_datadir}

 %changelog
+* Wed Jul 17 2024 Xiaohong Deng <xiaohongdeng@microsoft.com> - 1.1.0-8
+- Patch CVE-2024-38517
+
 * Mon Apr 11 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.1.0-7
 - Fixing invalid source URL.
 - License verified.
				`@ -0,0 +1 @@`
				`CVE-2024-39684 is a duplicate of CVE-2024-38517`