blob: c21794d147d622ccebc013d0eabbd16a8a9f7e32 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From 95ab3786ce0f16e08e41f7bf216969a37dc86cad Mon Sep 17 00:00:00 2001
From: Jan Kraemer <jan@spectrejan.de>
Date: Thu, 7 Oct 2021 12:48:04 +0200
Subject: [PATCH] brotli: fix CVE-2020-8927
[No upstream tracking] --
This fixes a potential overflow when input chunk is >2GiB in
BrotliGetAvailableBits by capping the returned value to 2^30
Fixed in brotli version 1.0.8
https://github.com/google/brotli as of commit id
223d80cfbec8fd346e32906c732c8ede21f0cea6
Patch taken from Debian Buster: 1.0.7-2+deb10u1
http://deb.debian.org/debian/pool/main/b/brotli/brotli_1.0.7-2+deb10u1.dsc
https://security-tracker.debian.org/tracker/CVE-2020-8927
Upstream-Status: Backported
CVE: CVE-2020-8927
Signed-off-by: Jan Kraemer <jan@spectrejan.de>
---
c/dec/bit_reader.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/c/dec/bit_reader.h b/c/dec/bit_reader.h
index c06e914..0d20312 100644
--- a/c/dec/bit_reader.h
+++ b/c/dec/bit_reader.h
@@ -87,8 +87,11 @@ static BROTLI_INLINE uint32_t BrotliGetAvailableBits(
}
/* Returns amount of unread bytes the bit reader still has buffered from the
- BrotliInput, including whole bytes in br->val_. */
+ BrotliInput, including whole bytes in br->val_. Result is capped with
+ maximal ring-buffer size (larger number won't be utilized anyway). */
static BROTLI_INLINE size_t BrotliGetRemainingBytes(BrotliBitReader* br) {
+ static const size_t kCap = (size_t)1 << 30;
+ if (br->avail_in > kCap) return kCap;
return br->avail_in + (BrotliGetAvailableBits(br) >> 3);
}
|