From f9a9b88726e49d11009182f6007d29ba67e9ceba Mon Sep 17 00:00:00 2001
From: Georgy Moshkin <gmoshkin@picodata.io>
Date: Fri, 7 Apr 2023 17:45:06 +0300
Subject: [PATCH] build: apply security patches to vendored dependencies
---
cmake/BuildICU.cmake | 4 --
cmake/BuildReadline.cmake | 2 -
patches/icu-tarantool-security-45.patch | 13 -------
patches/icu-tarantool-security-59.patch | 21 ----------
patches/icu-tarantool-security-61.patch | 15 --------
patches/icu-tarantool-security-96.patch | 26 -------------
patches/readline-tarantool-security-95.patch | 18 ---------
patches/readline80-001.patch | 38 -------------------
vendor/icu4c-71_1/source/common/utrie2.cpp | 10 ++++-
vendor/icu4c-71_1/source/i18n/dangical.cpp | 2 +-
vendor/icu4c-71_1/source/i18n/dangical.h | 2 +-
vendor/icu4c-71_1/source/i18n/reldtfmt.cpp | 2 +-
vendor/icu4c-71_1/source/i18n/unum.cpp | 4 +-
.../ssl/statem/extensions_clnt.c | 1 +
vendor/readline-8.0/histfile.c | 2 +-
15 files changed, 17 insertions(+), 143 deletions(-)
delete mode 100644 patches/icu-tarantool-security-45.patch
delete mode 100644 patches/icu-tarantool-security-59.patch
delete mode 100644 patches/icu-tarantool-security-61.patch
delete mode 100644 patches/icu-tarantool-security-96.patch
delete mode 100644 patches/readline-tarantool-security-95.patch
delete mode 100644 patches/readline80-001.patch
diff --git a/cmake/BuildICU.cmake b/cmake/BuildICU.cmake
index 28bb6428f2..68b94861c4 100644
--- a/cmake/BuildICU.cmake
+++ b/cmake/BuildICU.cmake
@@ -42,10 +42,6 @@ ExternalProject_Add(bundled-icu-project
${CMAKE_COMMAND} -E touch <BINARY_DIR>/uconfig.h &&
cat <BINARY_DIR>/uconfig.h.prepend <INSTALL_DIR>/include/unicode/uconfig.h >> <BINARY_DIR>/uconfig.h &&
${CMAKE_COMMAND} -E copy_if_different <BINARY_DIR>/uconfig.h <INSTALL_DIR>/include/unicode/uconfig.h
- PATCH_COMMAND patch -d <SOURCE_DIR> -p1 -i "${ICU_PATCHES_DIR}/icu-tarantool-security-45.patch"
- COMMAND patch -d <SOURCE_DIR> -p1 -i "${ICU_PATCHES_DIR}/icu-tarantool-security-59.patch"
- COMMAND patch -d <SOURCE_DIR> -p1 -i "${ICU_PATCHES_DIR}/icu-tarantool-security-61.patch"
- COMMAND patch -d <SOURCE_DIR> -p1 -i "${ICU_PATCHES_DIR}/icu-tarantool-security-96.patch"
BUILD_BYPRODUCTS ${ICU_I18N_LIBRARY} ${ICU_UC_LIBRARY} ${ICU_DATA_LIBRARY}
DOWNLOAD_EXTRACT_TIMESTAMP TRUE
)
diff --git a/cmake/BuildReadline.cmake b/cmake/BuildReadline.cmake
index 70738b3e33..41c821e954 100644
--- a/cmake/BuildReadline.cmake
+++ b/cmake/BuildReadline.cmake
@@ -89,8 +89,6 @@ ExternalProject_Add(bundled-readline-project
--prefix=<INSTALL_DIR>
--disable-shared
- PATCH_COMMAND patch -d <SOURCE_DIR> -p0 -i "${READLINE_PATCHES_DIR}/readline80-001.patch"
- COMMAND patch -d <SOURCE_DIR> -p1 -i "${READLINE_PATCHES_DIR}/readline-tarantool-security-95.patch"
BUILD_BYPRODUCTS ${READLINE_LIBRARY}
DOWNLOAD_EXTRACT_TIMESTAMP TRUE
)
diff --git a/patches/icu-tarantool-security-45.patch b/patches/icu-tarantool-security-45.patch
deleted file mode 100644
index 6aa44a9034..0000000000
--- a/patches/icu-tarantool-security-45.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/source/i18n/reldtfmt.cpp b/source/i18n/reldtfmt.cpp
-index 5fdef1c..7f65fcd 100644
---- a/source/i18n/reldtfmt.cpp
-+++ b/source/i18n/reldtfmt.cpp
-@@ -495,7 +495,7 @@ struct RelDateFmtDataSink : public ResourceSink {
-
- // Put in the proper spot, but don't override existing data.
- n = offset + UDAT_DIRECTION_THIS; // Converts to index in UDAT_R
-- if (n < fDatesLen && fDatesPtr[n].string == NULL) {
-+ if (0 <= n && n < fDatesLen && fDatesPtr[n].string == NULL) {
- // Not found and n is an empty slot.
- fDatesPtr[n].offset = offset;
- fDatesPtr[n].string = value.getString(len, errorCode);
diff --git a/patches/icu-tarantool-security-59.patch b/patches/icu-tarantool-security-59.patch
deleted file mode 100644
index f41ec006ad..0000000000
--- a/patches/icu-tarantool-security-59.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff --git a/source/common/utrie2.cpp b/source/common/utrie2.cpp
-index 24ef578..359952a 100644
---- a/source/common/utrie2.cpp
-+++ b/source/common/utrie2.cpp
-@@ -574,7 +574,15 @@ enumEitherTrie(const UTrie2 *trie,
- c+=UTRIE2_DATA_BLOCK_LENGTH;
- } else {
- for(j=0; j<UTRIE2_DATA_BLOCK_LENGTH; ++j) {
-- value=enumValue(context, data32!=NULL ? data32[block+j] : idx[block+j]);
-+ if (data32!=NULL) {
-+ value=enumValue(context, data32[block+j]);
-+ } else if (idx!=NULL) {
-+ value=enumValue(context, idx[block+j]);
-+ } else {
-+ /* data32 and idx are not supposed to be NULL at the same time */
-+ U_ASSERT(false);
-+ return;
-+ }
- if(value!=prevValue) {
- if(prev<c && !enumRange(context, prev, c-1, prevValue)) {
- return;
diff --git a/patches/icu-tarantool-security-61.patch b/patches/icu-tarantool-security-61.patch
deleted file mode 100644
index d9fce1906d..0000000000
--- a/patches/icu-tarantool-security-61.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/source/i18n/unum.cpp b/source/i18n/unum.cpp
-index 7043f7a..0f70c5c 100644
---- a/source/i18n/unum.cpp
-+++ b/source/i18n/unum.cpp
-@@ -164,7 +164,9 @@ unum_clone(const UNumberFormat *fmt,
- } else {
- const RuleBasedNumberFormat* rbnf = dynamic_cast<const RuleBasedNumberFormat*>(nf);
- U_ASSERT(rbnf != NULL);
-- res = rbnf->clone();
-+ if (rbnf != NULL) {
-+ res = rbnf->clone();
-+ }
- }
-
- if(res == 0) {
diff --git a/patches/icu-tarantool-security-96.patch b/patches/icu-tarantool-security-96.patch
deleted file mode 100644
index 748b50566c..0000000000
--- a/patches/icu-tarantool-security-96.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff --git a/source/i18n/dangical.cpp b/source/i18n/dangical.cpp
-index 234c44b..f5343d0 100644
---- a/source/i18n/dangical.cpp
-+++ b/source/i18n/dangical.cpp
-@@ -136,7 +136,7 @@ static void U_CALLCONV initDangiCalZoneAstroCalc(UErrorCode &status) {
- ucln_i18n_registerCleanup(UCLN_I18N_DANGI_CALENDAR, calendar_dangi_cleanup);
- }
-
--const TimeZone* DangiCalendar::getDangiCalZoneAstroCalc(UErrorCode &status) const {
-+const TimeZone* DangiCalendar::getDangiCalZoneAstroCalc(UErrorCode &status) {
- umtx_initOnce(gDangiCalendarInitOnce, &initDangiCalZoneAstroCalc, status);
- return gDangiCalendarZoneAstroCalc;
- }
-diff --git a/source/i18n/dangical.h b/source/i18n/dangical.h
-index 128f3af..e240272 100644
---- a/source/i18n/dangical.h
-+++ b/source/i18n/dangical.h
-@@ -74,7 +74,7 @@ class DangiCalendar : public ChineseCalendar {
-
- private:
-
-- const TimeZone* getDangiCalZoneAstroCalc(UErrorCode &status) const;
-+ static const TimeZone* getDangiCalZoneAstroCalc(UErrorCode &status);
-
- // UObject stuff
- public:
diff --git a/patches/readline-tarantool-security-95.patch b/patches/readline-tarantool-security-95.patch
deleted file mode 100644
index c4fa559815..0000000000
--- a/patches/readline-tarantool-security-95.patch
+++ /dev/null
@@ -1,18 +0,0 @@
---- readline.old/histfile.c 2023-02-17 13:01:18.515248292 +0300
-+++ readline/histfile.c 2023-02-17 13:02:42.034252562 +0300
-@@ -492,6 +492,7 @@
- tempname = 0;
- file = filename ? open (filename, O_RDONLY|O_BINARY, 0666) : -1;
- rv = exists = 0;
-+ orig_lines = lines;
-
- /* Don't try to truncate non-regular files. */
- if (file == -1 || fstat (file, &finfo) == -1)
-@@ -547,7 +548,6 @@
- goto truncate_exit;
- }
-
-- orig_lines = lines;
- /* Count backwards from the end of buffer until we have passed
- LINES lines. bp1 is set funny initially. But since bp[1] can't
- be a comment character (since it's off the end) and *bp can't be
diff --git a/patches/readline80-001.patch b/patches/readline80-001.patch
deleted file mode 100644
index aa72a9dfa7..0000000000
--- a/patches/readline80-001.patch
+++ /dev/null
@@ -1,38 +0,0 @@
- READLINE PATCH REPORT
- =====================
-
-Readline-Release: 8.0
-Patch-ID: readline80-001
-
-Bug-Reported-by: chet.ramey@case.edu
-Bug-Reference-ID:
-Bug-Reference-URL:
-
-Bug-Description:
-
-The history file reading code doesn't close the file descriptor open to
-the history file when it encounters a zero-length file.
-
-Patch (apply with `patch -p0'):
-
-*** ../readline-8.0-patched/histfile.c 2018-06-11 09:14:52.000000000 -0400
---- histfile.c 2019-05-16 15:55:57.000000000 -0400
-***************
-*** 306,309 ****
---- 312,316 ----
- {
- free (input);
-+ close (file);
- return 0; /* don't waste time if we don't have to */
- }
-*** ../readline-8.0/patchlevel 2013-11-15 08:11:11.000000000 -0500
---- patchlevel 2014-03-21 08:28:40.000000000 -0400
-***************
-*** 1,3 ****
- # Do not edit -- exists only for use by patch
-
-! 0
---- 1,3 ----
- # Do not edit -- exists only for use by patch
-
-! 1
diff --git a/vendor/icu4c-71_1/source/common/utrie2.cpp b/vendor/icu4c-71_1/source/common/utrie2.cpp
index 24ef5782c9..359952a571 100644
--- a/vendor/icu4c-71_1/source/common/utrie2.cpp
+++ b/vendor/icu4c-71_1/source/common/utrie2.cpp
@@ -574,7 +574,15 @@ enumEitherTrie(const UTrie2 *trie,
c+=UTRIE2_DATA_BLOCK_LENGTH;
} else {
for(j=0; j<UTRIE2_DATA_BLOCK_LENGTH; ++j) {
- value=enumValue(context, data32!=NULL ? data32[block+j] : idx[block+j]);
+ if (data32!=NULL) {
+ value=enumValue(context, data32[block+j]);
+ } else if (idx!=NULL) {
+ value=enumValue(context, idx[block+j]);
+ } else {
+ /* data32 and idx are not supposed to be NULL at the same time */
+ U_ASSERT(false);
+ return;
+ }
if(value!=prevValue) {
if(prev<c && !enumRange(context, prev, c-1, prevValue)) {
return;
diff --git a/vendor/icu4c-71_1/source/i18n/dangical.cpp b/vendor/icu4c-71_1/source/i18n/dangical.cpp
index 57fe80220b..51e1af2513 100644
--- a/vendor/icu4c-71_1/source/i18n/dangical.cpp
+++ b/vendor/icu4c-71_1/source/i18n/dangical.cpp
@@ -136,7 +136,7 @@ static void U_CALLCONV initDangiCalZoneAstroCalc(UErrorCode &status) {
ucln_i18n_registerCleanup(UCLN_I18N_DANGI_CALENDAR, calendar_dangi_cleanup);
}
-const TimeZone* DangiCalendar::getDangiCalZoneAstroCalc(UErrorCode &status) const {
+const TimeZone* DangiCalendar::getDangiCalZoneAstroCalc(UErrorCode &status) {
umtx_initOnce(gDangiCalendarInitOnce, &initDangiCalZoneAstroCalc, status);
return gDangiCalendarZoneAstroCalc;
}
diff --git a/vendor/icu4c-71_1/source/i18n/dangical.h b/vendor/icu4c-71_1/source/i18n/dangical.h
index 9d0437264e..642fa6cacc 100644
--- a/vendor/icu4c-71_1/source/i18n/dangical.h
+++ b/vendor/icu4c-71_1/source/i18n/dangical.h
@@ -74,7 +74,7 @@ class DangiCalendar : public ChineseCalendar {
private:
- const TimeZone* getDangiCalZoneAstroCalc(UErrorCode &status) const;
+ static const TimeZone* getDangiCalZoneAstroCalc(UErrorCode &status);
// UObject stuff
public:
diff --git a/vendor/icu4c-71_1/source/i18n/reldtfmt.cpp b/vendor/icu4c-71_1/source/i18n/reldtfmt.cpp
index 5fdef1c0d6..7f65fcddb3 100644
--- a/vendor/icu4c-71_1/source/i18n/reldtfmt.cpp
+++ b/vendor/icu4c-71_1/source/i18n/reldtfmt.cpp
@@ -495,7 +495,7 @@ struct RelDateFmtDataSink : public ResourceSink {
// Put in the proper spot, but don't override existing data.
n = offset + UDAT_DIRECTION_THIS; // Converts to index in UDAT_R
- if (n < fDatesLen && fDatesPtr[n].string == NULL) {
+ if (0 <= n && n < fDatesLen && fDatesPtr[n].string == NULL) {
// Not found and n is an empty slot.
fDatesPtr[n].offset = offset;
fDatesPtr[n].string = value.getString(len, errorCode);
diff --git a/vendor/icu4c-71_1/source/i18n/unum.cpp b/vendor/icu4c-71_1/source/i18n/unum.cpp
index 7043f7adc1..0f70c5cc34 100644
--- a/vendor/icu4c-71_1/source/i18n/unum.cpp
+++ b/vendor/icu4c-71_1/source/i18n/unum.cpp
@@ -164,7 +164,9 @@ unum_clone(const UNumberFormat *fmt,
} else {
const RuleBasedNumberFormat* rbnf = dynamic_cast<const RuleBasedNumberFormat*>(nf);
U_ASSERT(rbnf != NULL);
- res = rbnf->clone();
+ if (rbnf != NULL) {
+ res = rbnf->clone();
+ }
}
if(res == 0) {
diff --git a/vendor/openssl-3.2.3/ssl/statem/extensions_clnt.c b/vendor/openssl-3.2.3/ssl/statem/extensions_clnt.c
index 5bce30b584..7d6454310b 100644
--- a/vendor/openssl-3.2.3/ssl/statem/extensions_clnt.c
+++ b/vendor/openssl-3.2.3/ssl/statem/extensions_clnt.c
@@ -286,6 +286,7 @@ EXT_RETURN tls_construct_ctos_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
return EXT_RETURN_NOT_SENT;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
+ || !s->session
|| !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;
diff --git a/vendor/readline-8.0/histfile.c b/vendor/readline-8.0/histfile.c
index dc64bde1c5..cfd6273cd3 100644
--- a/vendor/readline-8.0/histfile.c
+++ b/vendor/readline-8.0/histfile.c
@@ -491,6 +491,7 @@ history_truncate_file (const char *fname, int lines)
tempname = 0;
file = filename ? open (filename, O_RDONLY|O_BINARY, 0666) : -1;
rv = exists = 0;
+ orig_lines = lines;
/* Don't try to truncate non-regular files. */
if (file == -1 || fstat (file, &finfo) == -1)
@@ -546,7 +547,6 @@ history_truncate_file (const char *fname, int lines)
goto truncate_exit;
}
- orig_lines = lines;
/* Count backwards from the end of buffer until we have passed
LINES lines. bp1 is set funny initially. But since bp[1] can't
be a comment character (since it's off the end) and *bp can't be
--
GitLab