Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ASB - Security Patch integration October 2023 #2109

Merged
merged 1 commit into from
Oct 9, 2023
Merged

ASB - Security Patch integration October 2023 #2109

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion aosp_diff/preliminary/build/make/04_0004-Update-security_patch_level-string.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ index 47bb92c142..2d0ac256a4 100644
# It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
# If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
- PLATFORM_SECURITY_PATCH := 2022-02-05
+ PLATFORM_SECURITY_PATCH := 2023-09-01
+ PLATFORM_SECURITY_PATCH := 2023-10-01
endif
.KATI_READONLY := PLATFORM_SECURITY_PATCH

Expand Down
126 changes: 126 additions & 0 deletions ...nary/external/libxml2/0001-malloc-fail-Fix-OOB-read-after-xmlRegGetCounter.bulletin.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
From f8016cd3e5e5ddef29a97122382fbd863813f9d3 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <[email protected]>
Date: Fri, 17 Feb 2023 15:53:07 +0100
Subject: [PATCH] malloc-fail: Fix OOB read after xmlRegGetCounter

Found with libFuzzer, see #344.

(cherry picked from commit 1743c4c3fc58cf38ecce68db9de51d0f3651e033)

I also copied the error label from
e64653c0e7975594e27d7de2ed4be062c1e4ad03 to fix the build failure.

Bug: http://b/274231102
Test: TreeHugger
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:761198eaee09f721452adfefa92b9a6c9b875f24)
Merged-In: I3bad3e03092e17a761cb6e299aff848ebd35b6f4
Change-Id: I3bad3e03092e17a761cb6e299aff848ebd35b6f4
---
xmlregexp.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)

diff --git a/xmlregexp.c b/xmlregexp.c
index 40dabb20..0395219a 100644
--- a/xmlregexp.c
+++ b/xmlregexp.c
@@ -1673,6 +1673,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from,
return(-1);
inter = ctxt->state;
counter = xmlRegGetCounter(ctxt);
+ if (counter < 0)
+ return(-1);
ctxt->counters[counter].min = atom->min - 1;
ctxt->counters[counter].max = atom->max - 1;
/* count the number of times we see it again */
@@ -1691,6 +1693,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from,
* epsilon transition.
*/
counter = xmlRegGetCounter(ctxt);
+ if (counter < 0)
+ return(-1);
ctxt->counters[counter].min = atom->min - 1;
ctxt->counters[counter].max = atom->max - 1;
/* count the number of times we see it again */
@@ -6008,6 +6012,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
* associate a counter to the transition.
*/
counter = xmlRegGetCounter(am);
+ if (counter < 0)
+ goto error;
am->counters[counter].min = min;
am->counters[counter].max = max;

@@ -6027,6 +6033,10 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
if (min == 0)
xmlFAGenerateEpsilonTransition(am, from, to);
return(to);
+
+error:
+ xmlRegFreeAtom(atom);
+ return(NULL);
}

/**
@@ -6074,6 +6084,8 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
* associate a counter to the transition.
*/
counter = xmlRegGetCounter(am);
+ if (counter < 0)
+ goto error;
am->counters[counter].min = min;
am->counters[counter].max = max;

@@ -6093,6 +6105,10 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
if (min == 0)
xmlFAGenerateEpsilonTransition(am, from, to);
return(to);
+
+error:
+ xmlRegFreeAtom(atom);
+ return(NULL);
}

/**
@@ -6160,6 +6176,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
* associate a counter to the transition.
*/
counter = xmlRegGetCounter(am);
+ if (counter < 0)
+ goto error;
am->counters[counter].min = 1;
am->counters[counter].max = 1;

@@ -6172,6 +6190,10 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
xmlRegAtomPush(am, atom);
am->state = to;
return(to);
+
+error:
+ xmlRegFreeAtom(atom);
+ return(NULL);
}


@@ -6219,6 +6241,8 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
* associate a counter to the transition.
*/
counter = xmlRegGetCounter(am);
+ if (counter < 0)
+ goto error;
am->counters[counter].min = 1;
am->counters[counter].max = 1;

@@ -6231,6 +6255,10 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
xmlRegAtomPush(am, atom);
am->state = to;
return(to);
+
+error:
+ xmlRegFreeAtom(atom);
+ return(NULL);
}

/**
--
2.42.0.rc2.253.gd59a3bf2b4-goog

Loading
Loading