File _service:tar_scm:backport-0001-CVE-2024-40897.p... of Package orc

File _service:tar_scm:backport-0001-CVE-2024-40897.patch of Package orc

From fb7db9ae3e8ac271651d1884a3611d30bac04a98 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 9 Jul 2024 12:11:37 +0300
Subject: [PATCH 1/2] Use vasprintf() if available for error messages and
 otherwise vsnprintf()

vasprintf() is a GNU/BSD extension and would allocate as much memory as required
on the heap, similar to g_strdup_printf(). It's ridiculous that such a function
is still not provided as part of standard C.

If it's not available, use vsnprintf() to at least avoid stack/heap buffer
overflows, which can lead to arbitrary code execution.

Thanks to Noriko Totsuka for reporting.

Fixes JVN#02030803 / JPCERT#92912620 / CVE-2024-40897
Fixes #69

Part-of: <https://gitlab.freedesktop.org/gstreamer/orc/-/merge_requests/191>
---
 meson.build       |  1 +
 orc/orccompiler.c |  7 +++++--
 orc/orcparse.c    | 14 ++++++++++----
 3 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/meson.build b/meson.build
index d83441c..4b6c225 100644
--- a/meson.build
+++ b/meson.build
@@ -128,6 +128,7 @@ int main() {
 '''
 cdata.set('HAVE_MONOTONIC_CLOCK', cc.compiles(monotonic_test))
 cdata.set('HAVE_GETTIMEOFDAY', cc.has_function('gettimeofday'))
+cdata.set('HAVE_VASPRINTF', cc.has_function('vasprintf'))
 cdata.set('HAVE_POSIX_MEMALIGN', cc.has_function('posix_memalign', prefix : '#include <stdlib.h>'))
 cdata.set('HAVE_MMAP', cc.has_function('mmap'))
 cdata.set('HAVE_SYS_TIME_H', cc.has_header('sys/time.h'))
diff --git a/orc/orccompiler.c b/orc/orccompiler.c
index 94d06d3..b3152e7 100644
--- a/orc/orccompiler.c
+++ b/orc/orccompiler.c
@@ -1331,9 +1331,12 @@ orc_compiler_error_valist (OrcCompiler *compiler, const char *fmt,
   char *s;
 
   if (compiler->error_msg) return;
-
+#ifdef HAVE_VASPRINTF
+  vasprintf (&s, fmt, args);
+#else
   s = malloc (ORC_COMPILER_ERROR_BUFFER_SIZE);
-  vsprintf (s, fmt, args);
+  vsnprintf (s, ORC_COMPILER_ERROR_BUFFER_SIZE, fmt, args);
+#endif
   compiler->error_msg = s;
   compiler->error = TRUE;
   compiler->result = ORC_COMPILE_RESULT_UNKNOWN_COMPILE;
diff --git a/orc/orcparse.c b/orc/orcparse.c
index b0d6709..8888de4 100644
--- a/orc/orcparse.c
+++ b/orc/orcparse.c
@@ -424,17 +424,23 @@ orc_parse_get_error_where (OrcParser *parser)
 static void
 orc_parse_add_error_valist (OrcParser *parser, const char *format, va_list args)
 {
-  char text[ORC_ERROR_LENGTH] = { '\0' };
-
   if (parser->error_program != parser->program) {
     parser->error_program = parser->program;
   }
-
-  vsprintf (text, format, args);
+#ifdef HAVE_VASPRINTF
+  char *text;
+  vasprintf (&text, format, args);
+#else
+  char text[ORC_ERROR_LENGTH] = { '\0' };
+  vsnprintf (text, sizeof (text), format, args);
+#endif
 
   orc_vector_append (&parser->errors,
                      orc_parse_error_new (orc_parse_get_error_where (parser),
                                           parser->line_number, -1, text));
+#ifdef HAVE_VASPRINTF
+  free (text);
+#endif  
 }
 
 static void
-- 
2.27.0