microsoft
/
CBL-Mariner
зеркало из https://github.com/microsoft/CBL-Mariner.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

[AUTO-CHERRYPICK] rapidjson: fix CVE-2024-38517 and CVE-2024-39684 - branch main (#9897) 

Co-authored-by: xiaohong <Xiaohong-Deng@users.noreply.github.com>
This commit is contained in:
CBL-Mariner-Bot 2024-07-25 16:00:36 -07:00 коммит произвёл GitHub
Родитель 2dd276939a
Коммит f5e5df1bcf
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
3 изменённых файлов: 65 добавлений и 1 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

59
SPECS/rapidjson/CVE-2024-38517.patch Normal file
Просмотреть файл

@ -0,0 +1,59 @@
From 8269bc2bc289e9d343bae51cdf6d23ef0950e001 Mon Sep 17 00:00:00 2001
From: Florin Malita <fmalita@gmail.com>
Date: Tue, 15 May 2018 22:48:07 -0400
Subject: [PATCH] Prevent int underflow when parsing exponents
When parsing negative exponents, the current implementation takes
precautions for |exp| to not underflow int.
But that is not sufficient: later on [1], |exp + expFrac| is also
stored to an int - so we must ensure that the sum stays within int
representable values.
Update the exp clamping logic to take expFrac into account.
[1] https://github.com/Tencent/rapidjson/blob/master/include/rapidjson/reader.h#L1690
---
include/rapidjson/reader.h | 11 ++++++++++-
test/unittest/readertest.cpp | 1 +
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/include/rapidjson/reader.h b/include/rapidjson/reader.h
index 7441eda4..f95aef42 100644
--- a/include/rapidjson/reader.h
+++ b/include/rapidjson/reader.h
@@ -1632,9 +1632,18 @@ private:
if (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) {
exp = static_cast<int>(s.Take() - '0');
if (expMinus) {
+ // (exp + expFrac) must not underflow int => we're detecting when -exp gets
+ // dangerously close to INT_MIN (a pessimistic next digit 9 would push it into
+ // underflow territory):
+ //
+ // -(exp * 10 + 9) + expFrac >= INT_MIN
+ // <=> exp <= (expFrac - INT_MIN - 9) / 10
+ RAPIDJSON_ASSERT(expFrac <= 0);
+ int maxExp = (expFrac + 2147483639) / 10;
+
while (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) {
exp = exp * 10 + static_cast<int>(s.Take() - '0');
- if (exp >= 214748364) { // Issue #313: prevent overflow exponent
+ if (RAPIDJSON_UNLIKELY(exp > maxExp)) {
while (RAPIDJSON_UNLIKELY(s.Peek() >= '0' && s.Peek() <= '9')) // Consume the rest of exponent
s.Take();
}
diff --git a/test/unittest/readertest.cpp b/test/unittest/readertest.cpp
index e5308019..c4800b93 100644
--- a/test/unittest/readertest.cpp
+++ b/test/unittest/readertest.cpp
@@ -242,6 +242,7 @@ static void TestParseDouble() {
TEST_DOUBLE(fullPrecision, "1e-214748363", 0.0); // Maximum supported negative exponent
TEST_DOUBLE(fullPrecision, "1e-214748364", 0.0);
TEST_DOUBLE(fullPrecision, "1e-21474836311", 0.0);
+ TEST_DOUBLE(fullPrecision, "1.00000000001e-2147483638", 0.0);
TEST_DOUBLE(fullPrecision, "0.017976931348623157e+310", 1.7976931348623157e+308); // Max double in another form
// Since
--
2.34.1

1
SPECS/rapidjson/CVE-2024-39684.nopatch Normal file
Просмотреть файл

@ -0,0 +1 @@
CVE-2024-39684 is a duplicate of CVE-2024-38517

6
SPECS/rapidjson/rapidjson.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: A fast JSON parser/generator for C++ with both SAX/DOM style API
Name: rapidjson
Version: 1.1.0
Release: 7%{?dist}
Release: 8%{?dist}
License: BSD and JSON and MIT
Vendor: Microsoft Corporation
Distribution: Mariner
@ -11,6 +11,7 @@ Source0: %{url}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Patch0: 0000-Supress-implicit-fallthrough-in-GCC.patch
Patch1: 0001-Onley-apply-to-GCC-7.patch
Patch2: 0002-Correct-object-copying-in-document_h.patch
Patch3: CVE-2024-38517.patch
%global debug_package %{nil}
BuildRequires: cmake
BuildRequires: gcc
@ -52,6 +53,9 @@ make test
%{_datadir}
%changelog
* Wed Jul 17 2024 Xiaohong Deng <xiaohongdeng@microsoft.com> - 1.1.0-8
- Patch CVE-2024-38517
* Mon Apr 11 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.1.0-7
- Fixing invalid source URL.
- License verified.