From 724c053f0147d0f2dc3e4e0618b30135505a9c0c Mon Sep 17 00:00:00 2001 From: Andy Lau Date: Wed, 16 Jul 2025 11:50:29 +0000 Subject: [PATCH] backport some patches from upstream (cherry picked from commit eede569282147d6478658def2574d779f320be5d) --- ...-in-evbuffer_add_file-on-empty-files.patch | 108 ++++++++++++++++++ ...tial-null-dereference-in-http-server.patch | 23 ++++ ...ort-evthread-fix-NULL-dereference-in.patch | 26 +++++ libevent.spec | 10 +- 4 files changed, 166 insertions(+), 1 deletion(-) create mode 100644 backport-Fix-leak-in-evbuffer_add_file-on-empty-files.patch create mode 100644 backport-Fix-potential-null-dereference-in-http-server.patch create mode 100644 backport-evthread-fix-NULL-dereference-in.patch diff --git a/backport-Fix-leak-in-evbuffer_add_file-on-empty-files.patch b/backport-Fix-leak-in-evbuffer_add_file-on-empty-files.patch new file mode 100644 index 0000000..b20cc60 --- /dev/null +++ b/backport-Fix-leak-in-evbuffer_add_file-on-empty-files.patch @@ -0,0 +1,108 @@ +From 539f73e319cb8760164ff1e0bac0df3895310f91 Mon Sep 17 00:00:00 2001 +From: Azat Khuzhin +Date: Tue, 20 Feb 2024 09:30:22 +0100 +Subject: [PATCH] Fix leak in evbuffer_add_file() on empty files + +Found by oss-fuzz, after coverage had been improved in google/oss-fuzz#11257 +v2: adjust test +v3: fix for windows (_get_osfhandle() crashes when called on closed fd) +v4: fix for EVENT__DISABLE_MM_REPLACEMENT +--- + buffer.c | 3 +-- + include/event2/buffer.h | 4 ++-- + test/regress_buffer.c | 46 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 49 insertions(+), 4 deletions(-) + +diff --git a/buffer.c b/buffer.c +index 3524b35..730d2a7 100644 +--- a/buffer.c ++++ b/buffer.c +@@ -3206,8 +3206,7 @@ evbuffer_add_file_segment(struct evbuffer *buf, + if (!seg->contents) { + if (evbuffer_file_segment_materialize(seg)<0) { + EVLOCK_UNLOCK(seg->lock, 0); +- EVBUFFER_UNLOCK(buf); +- return -1; ++ goto err; + } + } + } +diff --git a/include/event2/buffer.h b/include/event2/buffer.h +index 5e225fb9ad..16f0c07827 100644 +--- a/include/event2/buffer.h ++++ b/include/event2/buffer.h +@@ -555,8 +555,8 @@ int evbuffer_add_reference_with_offset(struct evbuffer *outbuf, const void *data + flag is set, it uses those functions. Otherwise, it tries to use + mmap (or CreateFileMapping on Windows). + +- The function owns the resulting file descriptor and will close it +- when finished transferring data. ++ The function owns the resulting file descriptor and will close (even in case ++ of error) it when finished transferring data. + + The results of using evbuffer_remove() or evbuffer_pullup() on + evbuffers whose data was added using this function are undefined. +diff --git a/test/regress_buffer.c b/test/regress_buffer.c +index 01c642204e..2685055f03 100644 +--- a/test/regress_buffer.c ++++ b/test/regress_buffer.c +@@ -1107,6 +1107,49 @@ addfile_test_readcb(evutil_socket_t fd, short what, void *arg) + } + } + ++/* Without mm replacement malloc(0) will not fail, like it should to make the ++ * evbuffer_file_segment_materialize() fails after mmap() failed */ ++#ifndef EVENT__DISABLE_MM_REPLACEMENT ++static void ++test_evbuffer_add_file_leak1(void *ptr) ++{ ++ struct basic_test_data *testdata = ptr; ++ struct evbuffer *buf = NULL; ++ char *tmpfilename = NULL; ++ int fd; ++ ++ (void)testdata; ++ ++ fd = regress_make_tmpfile("", 0, &tmpfilename); ++ /* On Windows, if TMP environment variable is corrupted, we may not be ++ * able create temporary file, just skip it */ ++ if (fd < 0) ++ tt_skip(); ++ TT_BLATHER(("Temporary path: %s, fd: %i", tmpfilename, fd)); ++ ++ /* On windows _get_osfhandle(closed fd) leads to crash */ ++#ifndef _WIN32 ++ /* close fd before usage, so that the fallback with pread() will fail (in ++ * evbuffer_file_segment_materialize()) */ ++ close(fd); ++#endif ++ ++ /* mmap(offset=0, length=0) will fail, this is enough */ ++ buf = evbuffer_new(); ++ tt_assert(evbuffer_add_file(buf, fd, 0, 0) == -1); ++ evbuffer_validate(buf); ++ ++end: ++ if (tmpfilename) { ++ unlink(tmpfilename); ++ free(tmpfilename); ++ } ++ if (buf) ++ evbuffer_free(buf); ++ /* NOTE: file will be closed in evbuffer_add_file() */ ++} ++#endif ++ + static void + test_evbuffer_add_file(void *ptr) + { +@@ -2922,6 +2965,9 @@ struct testcase_t evbuffer_testcases[] = { + { "copyout", test_evbuffer_copyout, 0, NULL, NULL}, + { "file_segment_add_cleanup_cb", test_evbuffer_file_segment_add_cleanup_cb, 0, NULL, NULL }, + { "pullup_with_empty", test_evbuffer_pullup_with_empty, 0, NULL, NULL }, ++#ifndef EVENT__DISABLE_MM_REPLACEMENT ++ { "add_file_leak1", test_evbuffer_add_file_leak1, 0, NULL, NULL }, ++#endif + + #define ADDFILE_TEST(name, parameters) \ + { name, test_evbuffer_add_file, TT_FORK|TT_NEED_BASE, \ diff --git a/backport-Fix-potential-null-dereference-in-http-server.patch b/backport-Fix-potential-null-dereference-in-http-server.patch new file mode 100644 index 0000000..bfa5066 --- /dev/null +++ b/backport-Fix-potential-null-dereference-in-http-server.patch @@ -0,0 +1,23 @@ +From bac9d10a6d67ea8440b00b58b328114438586664 Mon Sep 17 00:00:00 2001 +From: Zhipeng Xue <543984341@qq.com> +Date: Sun, 5 Mar 2023 05:13:54 +0800 +Subject: [PATCH] Fix potential null dereference in http-server (#1430) + +Co-authored-by: Azat Khuzhin +--- + sample/http-server.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sample/http-server.c b/sample/http-server.c +index b006891e19..38a34623f0 100644 +--- a/sample/http-server.c ++++ b/sample/http-server.c +@@ -258,6 +258,8 @@ send_document_cb(struct evhttp_request *req, void *arg) + #ifdef _WIN32 + dirlen = strlen(whole_path); + pattern = malloc(dirlen+3); ++ if (!pattern) ++ goto err; + memcpy(pattern, whole_path, dirlen); + pattern[dirlen] = '\\'; + pattern[dirlen+1] = '*'; diff --git a/backport-evthread-fix-NULL-dereference-in.patch b/backport-evthread-fix-NULL-dereference-in.patch new file mode 100644 index 0000000..7f17fc8 --- /dev/null +++ b/backport-evthread-fix-NULL-dereference-in.patch @@ -0,0 +1,26 @@ +From 6e4ea6c3f104f7777af7715266de8358aa9486b4 Mon Sep 17 00:00:00 2001 +From: Azat Khuzhin +Date: Sun, 18 Feb 2024 19:31:12 +0100 +Subject: [PATCH] evthread: fix NULL dereference in + evthread_setup_global_lock_() + +--- + evthread.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/evthread.c b/evthread.c +index 9b263b7907..26d2a5641c 100644 +--- a/evthread.c ++++ b/evthread.c +@@ -402,8 +402,9 @@ evthread_setup_global_lock_(void *lock_, unsigned locktype, int enable_locks) + } else { + /* Case 4: Fill in a debug lock with a real lock */ + struct debug_lock *lock = lock_ ? lock_ : debug_lock_alloc(locktype); +- EVUTIL_ASSERT(enable_locks && +- evthread_lock_debugging_enabled_); ++ if (!lock) ++ return NULL; ++ EVUTIL_ASSERT(enable_locks && evthread_lock_debugging_enabled_); + EVUTIL_ASSERT(lock->locktype == locktype); + if (!lock->lock) { + lock->lock = original_lock_fns_.alloc( diff --git a/libevent.spec b/libevent.spec index 19fa82a..de179ea 100644 --- a/libevent.spec +++ b/libevent.spec @@ -1,6 +1,6 @@ Name: libevent Version: 2.1.12 -Release: 15 +Release: 16 Summary: An event notification library License: BSD @@ -30,6 +30,9 @@ Patch6007: backport-Fix-potential-Null-pointer-dereference-in-regress_thread.c.p Patch6008: backport-Fix-potential-Null-pointer-dereference-in-regress_buffer.c.patch Patch6009: backport-Fix-potential-Null-pointer-dereference-in-regress_et.c.patch Patch6010: backport-Fix-leak-in-evconnlistener_new_async.patch +Patch6011: backport-Fix-leak-in-evbuffer_add_file-on-empty-files.patch +Patch6012: backport-Fix-potential-null-dereference-in-http-server.patch +Patch6013: backport-evthread-fix-NULL-dereference-in.patch Patch0004: 0004-fix-function-undeclared.patch @@ -92,6 +95,11 @@ rm -f %{buildroot}%{_libdir}/*.la %changelog +* Wed Jul 16 2025 andy - 2.1.12-16 +- Fix leak in evbuffer_add_file() on empty files +- evthread: fix NULL dereference in evthread_setup_global_lock_() +- Fix potential null dereference in http-server + * Sun Oct 27 2024 zhangyaqi - 2.1.12-15 - Fix leak in evconnlistener_new_async() -- Gitee