From fe830ffd8d761cee27edd069e3d99c1ab891cbf3 Mon Sep 17 00:00:00 2001
From: Efraim Flashner <efraim@flashner.co.il>
Date: Mon, 8 Mar 2021 15:48:08 +0200
Subject: gnu: libcaca: Patch for CVE-2021-3410.

* gnu/packages/video.scm (libcaca)[source]: Add patches.
* gnu/packages/patches/libcaca-CVE-2021-3410-pt1.patch,
gnu/packages/patches/libcaca-CVE-2021-3410-pt2.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
---
 gnu/local.mk                                       |   2 +
 .../patches/libcaca-CVE-2021-3410-pt1.patch        | 137 +++++++++++++++++++++
 .../patches/libcaca-CVE-2021-3410-pt2.patch        |  96 +++++++++++++++
 gnu/packages/video.scm                             |   6 +-
 4 files changed, 239 insertions(+), 2 deletions(-)
 create mode 100644 gnu/packages/patches/libcaca-CVE-2021-3410-pt1.patch
 create mode 100644 gnu/packages/patches/libcaca-CVE-2021-3410-pt2.patch

(limited to 'gnu')

diff --git a/gnu/local.mk b/gnu/local.mk
index fb3b395852..3a516d487f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1266,6 +1266,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/libbase-fix-includes.patch		\
   %D%/packages/patches/libbase-use-own-logging.patch		\
   %D%/packages/patches/libbonobo-activation-test-race.patch	\
+  %D%/packages/patches/libcaca-CVE-2021-3410-pt1.patch		\
+  %D%/packages/patches/libcaca-CVE-2021-3410-pt2.patch		\
   %D%/packages/patches/libcanberra-sound-theme-freedesktop.patch \
   %D%/packages/patches/libcanberra-wayland-crash.patch \
   %D%/packages/patches/libcyaml-libyaml-compat.patch		\
diff --git a/gnu/packages/patches/libcaca-CVE-2021-3410-pt1.patch b/gnu/packages/patches/libcaca-CVE-2021-3410-pt1.patch
new file mode 100644
index 0000000000..b23b01d33a
--- /dev/null
+++ b/gnu/packages/patches/libcaca-CVE-2021-3410-pt1.patch
@@ -0,0 +1,137 @@
+https://github.com/cacalabs/libcaca/commit/46b4ea7cea72d6b3ffe65d33e604b1774dcc2bbd.patch
+
+From 46b4ea7cea72d6b3ffe65d33e604b1774dcc2bbd Mon Sep 17 00:00:00 2001
+From: Sam Hocevar <sam@hocevar.net>
+Date: Fri, 26 Feb 2021 10:55:38 +0100
+Subject: [PATCH] canvas: fix an integer overflow in caca_resize().
+
+Fixes: #52 (CVE-2021-3410)
+---
+ caca/canvas.c       | 13 +++++++++++--
+ caca/codec/import.c |  1 +
+ caca/codec/text.c   | 21 ++++++++++++++-------
+ 3 files changed, 26 insertions(+), 9 deletions(-)
+
+diff --git a/caca/canvas.c b/caca/canvas.c
+index 3fdd37ae..d0715392 100644
+--- a/caca/canvas.c
++++ b/caca/canvas.c
+@@ -45,6 +45,7 @@ static int caca_resize(caca_canvas_t *, int, int);
+  *
+  *  If an error occurs, NULL is returned and \b errno is set accordingly:
+  *  - \c EINVAL Specified width or height is invalid.
++ *  - \c EOVERFLOW Specified width and height overflowed.
+  *  - \c ENOMEM Not enough memory for the requested canvas size.
+  *
+  *  \param width The desired canvas width
+@@ -200,6 +201,7 @@ int caca_unmanage_canvas(caca_canvas_t *cv, int (*callback)(void *), void *p)
+  *
+  *  If an error occurs, -1 is returned and \b errno is set accordingly:
+  *  - \c EINVAL Specified width or height is invalid.
++ *  - \c EOVERFLOW Specified width and height overflowed.
+  *  - \c EBUSY The canvas is in use by a display driver and cannot be resized.
+  *  - \c ENOMEM Not enough memory for the requested canvas size. If this
+  *    happens, the canvas handle becomes invalid and should not be used.
+@@ -363,7 +365,7 @@ int caca_rand(int min, int max)
+ 
+ int caca_resize(caca_canvas_t *cv, int width, int height)
+ {
+-    int x, y, f, old_width, old_height, new_size, old_size;
++    int x, y, f, old_width, old_height, old_size;
+ 
+     old_width = cv->width;
+     old_height = cv->height;
+@@ -375,7 +377,14 @@ int caca_resize(caca_canvas_t *cv, int width, int height)
+      * dirty rectangle handling */
+     cv->width = width;
+     cv->height = height;
+-    new_size = width * height;
++    int new_size = width * height;
++
++    /* Check for overflow */
++    if (new_size / width != height)
++    {
++        seterrno(EOVERFLOW);
++        return -1;
++    }
+ 
+     /* If width or height is smaller (or both), we have the opportunity to
+      * reduce or even remove dirty rectangles */
+diff --git a/caca/codec/import.c b/caca/codec/import.c
+index 8836fd08..2dafe3cf 100644
+--- a/caca/codec/import.c
++++ b/caca/codec/import.c
+@@ -61,6 +61,7 @@ static ssize_t import_caca(caca_canvas_t *, void const *, size_t);
+  *
+  *  If an error occurs, -1 is returned and \b errno is set accordingly:
+  *  - \c ENOMEM Not enough memory to allocate canvas.
++ *  - \c EOVERFLOW Importing data caused a value overflow.
+  *  - \c EINVAL Invalid format requested.
+  *
+  *  \param cv A libcaca canvas in which to import the file.
+diff --git a/caca/codec/text.c b/caca/codec/text.c
+index 358b7224..94a2a4d7 100644
+--- a/caca/codec/text.c
++++ b/caca/codec/text.c
+@@ -46,7 +46,7 @@ ssize_t _import_text(caca_canvas_t *cv, void const *data, size_t size)
+     char const *text = (char const *)data;
+     unsigned int width = 0, height = 0, x = 0, y = 0, i;
+ 
+-    caca_set_canvas_size(cv, width, height);
++    caca_set_canvas_size(cv, 0, 0);
+ 
+     for(i = 0; i < size; i++)
+     {
+@@ -70,15 +70,19 @@ ssize_t _import_text(caca_canvas_t *cv, void const *data, size_t size)
+             if(y >= height)
+                 height = y + 1;
+ 
+-            caca_set_canvas_size(cv, width, height);
++            if (caca_set_canvas_size(cv, width, height) < 0)
++                return -1;
+         }
+ 
+         caca_put_char(cv, x, y, ch);
+         x++;
+     }
+ 
+-    if(y > height)
+-        caca_set_canvas_size(cv, width, height = y);
++    if (y > height)
++    {
++        if (caca_set_canvas_size(cv, width, height = y) < 0)
++            return -1;
++    }
+ 
+     return (ssize_t)size;
+ }
+@@ -431,7 +435,8 @@ ssize_t _import_ansi(caca_canvas_t *cv, void const *data, size_t size, int utf8)
+             {
+                 savedattr = caca_get_attr(cv, -1, -1);
+                 caca_set_attr(cv, im.clearattr);
+-                caca_set_canvas_size(cv, width = x + wch, height);
++                if (caca_set_canvas_size(cv, width = x + wch, height) < 0)
++                    return -1;
+                 caca_set_attr(cv, savedattr);
+             }
+             else
+@@ -448,7 +453,8 @@ ssize_t _import_ansi(caca_canvas_t *cv, void const *data, size_t size, int utf8)
+             caca_set_attr(cv, im.clearattr);
+             if(growy)
+             {
+-                caca_set_canvas_size(cv, width, height = y + 1);
++                if (caca_set_canvas_size(cv, width, height = y + 1) < 0)
++                    return -1;
+             }
+             else
+             {
+@@ -480,7 +486,8 @@ ssize_t _import_ansi(caca_canvas_t *cv, void const *data, size_t size, int utf8)
+     {
+         savedattr = caca_get_attr(cv, -1, -1);
+         caca_set_attr(cv, im.clearattr);
+-        caca_set_canvas_size(cv, width, height = y);
++        if (caca_set_canvas_size(cv, width, height = y))
++            return -1;
+         caca_set_attr(cv, savedattr);
+     }
+ 
diff --git a/gnu/packages/patches/libcaca-CVE-2021-3410-pt2.patch b/gnu/packages/patches/libcaca-CVE-2021-3410-pt2.patch
new file mode 100644
index 0000000000..e6fd506b37
--- /dev/null
+++ b/gnu/packages/patches/libcaca-CVE-2021-3410-pt2.patch
@@ -0,0 +1,96 @@
+https://github.com/cacalabs/libcaca/commit/e4968ba6e93e9fd35429eb16895c785c51072015.patch
+Patch adjusted to remove the lines modifying caca/t/canvas.cpp. This file does not exist in the current release.
+
+From e4968ba6e93e9fd35429eb16895c785c51072015 Mon Sep 17 00:00:00 2001
+From: Sam Hocevar <sam@hocevar.net>
+Date: Fri, 26 Feb 2021 12:40:06 +0100
+Subject: [PATCH] Fix a problem in the caca_resize() overflow detection and add
+ several unit tests.
+
+---
+ caca/canvas.c     | 16 ++++++++--------
+ caca/t/canvas.cpp | 18 +++++++++++++++---
+ tools/makefont.c  | 22 +++++++++++++++++++---
+ 3 files changed, 42 insertions(+), 14 deletions(-)
+
+diff --git a/caca/canvas.c b/caca/canvas.c
+index d0715392..08c628c9 100644
+--- a/caca/canvas.c
++++ b/caca/canvas.c
+@@ -367,6 +367,14 @@ int caca_resize(caca_canvas_t *cv, int width, int height)
+ {
+     int x, y, f, old_width, old_height, old_size;
+ 
++    /* Check for overflow */
++    int new_size = width * height;
++    if (new_size < 0 || (width > 0 && new_size / width != height))
++    {
++        seterrno(EOVERFLOW);
++        return -1;
++    }
++
+     old_width = cv->width;
+     old_height = cv->height;
+     old_size = old_width * old_height;
+@@ -377,14 +385,6 @@ int caca_resize(caca_canvas_t *cv, int width, int height)
+      * dirty rectangle handling */
+     cv->width = width;
+     cv->height = height;
+-    int new_size = width * height;
+-
+-    /* Check for overflow */
+-    if (new_size / width != height)
+-    {
+-        seterrno(EOVERFLOW);
+-        return -1;
+-    }
+ 
+     /* If width or height is smaller (or both), we have the opportunity to
+      * reduce or even remove dirty rectangles */
+diff --git a/tools/makefont.c b/tools/makefont.c
+index 226c8838..66718605 100644
+--- a/tools/makefont.c
++++ b/tools/makefont.c
+@@ -40,7 +40,8 @@
+  * and the UTF-8 glyphs necessary for canvas rotation and mirroring. */
+ static unsigned int const blocklist[] =
+ {
+-    0x0000, 0x0080, /* Basic latin: A, B, C, a, b, c */
++    0x0020, 0x0080, /* Basic latin: A, B, C, a, b, c */
++#if 0
+     0x0080, 0x0100, /* Latin-1 Supplement: Ä, Ç, å, ß */
+     0x0100, 0x0180, /* Latin Extended-A: Ā č Ō œ */
+     0x0180, 0x0250, /* Latin Extended-B: Ǝ Ƹ */
+@@ -63,6 +64,7 @@ static unsigned int const blocklist[] =
+     0x30a0, 0x3100, /* Katakana: ロ ル */
+     0xff00, 0xfff0, /* Halfwidth and Fullwidth Forms: Ａ, Ｂ, Ｃ, ａ, ｂ, ｃ */
+     0x10400, 0x10450, /* Deseret: 𐐒 𐐋 */
++#endif
+     0, 0
+ };
+ 
+@@ -317,8 +319,22 @@ int main(int argc, char *argv[])
+             printf_unicode(&gtab[n]);
+ 
+             if(gtab[n].same_as == n)
+-                printf_hex(" */ %s\n",
+-                           glyph_data + gtab[n].data_offset, gtab[n].data_size);
++            {
++                char const *lut = " .:nmW@";
++                printf("\n");
++                for (int y = 0; y < height; ++y)
++                {
++                    for (int x = 0; x < gtab[n].data_width; ++x)
++                    {
++                        int val = glyph_data[gtab[n].data_offset + y * gtab[n].data_width + x];
++                        char ch = lut[val * val * 7 / 256 / 256];
++                        printf("%c%c", ch, ch);
++                    }
++                    printf("\n");
++                }
++                //printf_hex(" */ %s\n",
++                //           glyph_data + gtab[n].data_offset, gtab[n].data_size);
++            }
+             else
+             {
+                 printf(" is ");
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index a46a55e855..92ecfb99ff 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -3,7 +3,7 @@
 ;;; Copyright © 2014, 2015, 2016 David Thompson <davet@gnu.org>
 ;;; Copyright © 2014, 2015, 2016, 2018, 2020 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com>
-;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020, 2021 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2015 Andy Patterson <ajpatter@uwaterloo.ca>
 ;;; Copyright © 2015, 2018, 2019, 2020 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2015, 2016, 2017, 2018, 2019 Alex Vong <alexvong1995@gmail.com>
@@ -1234,7 +1234,9 @@ (define-public libcaca
                                   version ".tar.gz"))
               (sha256
                (base32
-                "1x3j6yfyxl52adgnabycr0n38j9hx2j74la0hz0n8cnh9ry4d2qj"))))
+                "1x3j6yfyxl52adgnabycr0n38j9hx2j74la0hz0n8cnh9ry4d2qj"))
+              (patches (search-patches "libcaca-CVE-2021-3410-pt1.patch"
+                                       "libcaca-CVE-2021-3410-pt2.patch"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--disable-static")))
-- 
cgit v1.2.3