diff --git a/0004-src-avoid-OOB-read-in-URL-parser.patch b/0004-src-avoid-OOB-read-in-URL-parser.patch new file mode 100644 index 0000000000000000000000000000000000000000..6108a397efe0aa1ec92b151657b57791d4537977 --- /dev/null +++ b/0004-src-avoid-OOB-read-in-URL-parser.patch @@ -0,0 +1,79 @@ +From 4cb8fa4aa5dea72bc66ea950e3fc193385bb7175 Mon Sep 17 00:00:00 2001 +From: gaozhekang +Date: Wed, 4 Nov 2020 11:12:53 +0800 +Subject: [PATCH] src: avoid OOB read in URL parser + +This is not a big concern, because right now, all (non-test) inputs +to the parser are `'\0'`-terminated, but we should be future-proof +here and not perform these OOB reads. + +--- + src/node_url.cc | 6 +++--- + test/cctest/test_url.cc | 20 ++++++++++++++++++++ + 2 files changed, 23 insertions(+), 3 deletions(-) + +diff --git a/src/node_url.cc b/src/node_url.cc +index 7bfcde5..41492b1 100644 +--- a/src/node_url.cc ++++ b/src/node_url.cc +@@ -1487,7 +1487,7 @@ void URL::Parse(const char* input, + state = kSpecialRelativeOrAuthority; + } else if (special) { + state = kSpecialAuthoritySlashes; +- } else if (p[1] == '/') { ++ } else if (p + 1 < end && p[1] == '/') { + state = kPathOrAuthority; + p++; + } else { +@@ -1547,7 +1547,7 @@ void URL::Parse(const char* input, + } + break; + case kSpecialRelativeOrAuthority: +- if (ch == '/' && p[1] == '/') { ++ if (ch == '/' && p + 1 < end && p[1] == '/') { + state = kSpecialAuthorityIgnoreSlashes; + p++; + } else { +@@ -1695,7 +1695,7 @@ void URL::Parse(const char* input, + break; + case kSpecialAuthoritySlashes: + state = kSpecialAuthorityIgnoreSlashes; +- if (ch == '/' && p[1] == '/') { ++ if (ch == '/' && p + 1 < end && p[1] == '/') { + p++; + } else { + continue; +diff --git a/test/cctest/test_url.cc b/test/cctest/test_url.cc +index ddef534..810cbc2 100644 +--- a/test/cctest/test_url.cc ++++ b/test/cctest/test_url.cc +@@ -80,6 +80,26 @@ TEST_F(URLTest, Base3) { + EXPECT_EQ(simple.path(), "/baz"); + } + ++TEST_F(URLTest, TruncatedAfterProtocol) { ++ char input[2] = { 'q', ':' }; ++ URL simple(input, sizeof(input)); ++ ++ EXPECT_FALSE(simple.flags() & URL_FLAGS_FAILED); ++ EXPECT_EQ(simple.protocol(), "q:"); ++ EXPECT_EQ(simple.host(), ""); ++ EXPECT_EQ(simple.path(), "/"); ++} ++ ++TEST_F(URLTest, TruncatedAfterProtocol2) { ++ char input[6] = { 'h', 't', 't', 'p', ':', '/' }; ++ URL simple(input, sizeof(input)); ++ ++ EXPECT_TRUE(simple.flags() & URL_FLAGS_FAILED); ++ EXPECT_EQ(simple.protocol(), "http:"); ++ EXPECT_EQ(simple.host(), ""); ++ EXPECT_EQ(simple.path(), ""); ++} ++ + TEST_F(URLTest, ToFilePath) { + #define T(url, path) EXPECT_EQ(path, URL(url).ToFilePath()) + T("http://example.org/foo/bar", ""); +-- +2.23.0 + diff --git a/nodejs.spec b/nodejs.spec index f6b5b87e838d6da31612d84891da89039c51841d..c6f047620cc39bdcbec65677ee75578bb30bf231 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -1,5 +1,5 @@ %bcond_with bootstrap -%global baserelease 1 +%global baserelease 2 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} %global nodejs_epoch 1 %global nodejs_major 10 @@ -57,7 +57,7 @@ Name: nodejs Epoch: %{nodejs_epoch} Version: %{nodejs_version} -Release: 1 +Release: %{nodejs_release} Summary: JavaScript runtime License: MIT and ASL 2.0 and ISC and BSD Group: Development/Languages @@ -72,6 +72,7 @@ Source7: nodejs_native.attr Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch2: 0002-Install-both-binaries-and-use-libdir.patch Patch3: 0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch +Patch4: 0004-src-avoid-OOB-read-in-URL-parser.patch BuildRequires: python2-devel python3-devel zlib-devel gcc >= 6.3.0 BuildRequires: gcc-c++ >= 6.3.0 nodejs-packaging chrpath libatomic @@ -455,6 +456,9 @@ end %changelog +* Wed Nov 04 2020 gaozhekang - 1:10.21.0-2 +- avoid OOB read in URL parser + * Wed Oct 14 2020 Jeffery.Gao - 1:10.21.0-1 - Update to 10.21.0