From owner-svn-ports-branches@freebsd.org Wed Jul 29 17:01:45 2015 Return-Path: Delivered-To: svn-ports-branches@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7E9419ACD48; Wed, 29 Jul 2015 17:01:45 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 627C11630; Wed, 29 Jul 2015 17:01:45 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t6TH1jgS038421; Wed, 29 Jul 2015 17:01:45 GMT (envelope-from feld@FreeBSD.org) Received: (from feld@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t6TH1iRR038417; Wed, 29 Jul 2015 17:01:44 GMT (envelope-from feld@FreeBSD.org) Message-Id: <201507291701.t6TH1iRR038417@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: feld set sender to feld@FreeBSD.org using -f From: Mark Felder Date: Wed, 29 Jul 2015 17:01:44 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r393187 - in branches/2015Q3/lang: v8 v8-devel v8-devel/files v8/files X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-branches@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for all the branches of the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2015 17:01:45 -0000 Author: feld Date: Wed Jul 29 17:01:43 2015 New Revision: 393187 URL: https://svnweb.freebsd.org/changeset/ports/393187 Log: MFH: r393186 lang/v8, lang/v8-devel: Backport CVE fix This fix has been backported instead of upgrading to a newer release as the upstream release process is a complicated fast-moving target and the current ports are using custom snapshots created by the port maintainer. This will also limit the amount of potential fallout as we know the existing v8 port works well enough to keep mongodb up to date. PR: 201450 Security: CVE-2015-5380 Security: 864e6f75-2372-11e5-86ff-14dae9d210b8 Approved by: ports-secteam (with hat) Added: branches/2015Q3/lang/v8-devel/files/patch-CVE-2015-5380 - copied unchanged from r393186, head/lang/v8-devel/files/patch-CVE-2015-5380 branches/2015Q3/lang/v8/files/ - copied from r393186, head/lang/v8/files/ Modified: branches/2015Q3/lang/v8-devel/Makefile branches/2015Q3/lang/v8/Makefile Directory Properties: branches/2015Q3/ (props changed) Modified: branches/2015Q3/lang/v8-devel/Makefile ============================================================================== --- branches/2015Q3/lang/v8-devel/Makefile Wed Jul 29 17:00:29 2015 (r393186) +++ branches/2015Q3/lang/v8-devel/Makefile Wed Jul 29 17:01:43 2015 (r393187) @@ -3,7 +3,7 @@ PORTNAME= v8 PORTVERSION= 3.27.7 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= lang MASTER_SITES= LOCAL/vanilla PKGNAMESUFFIX= -devel Copied: branches/2015Q3/lang/v8-devel/files/patch-CVE-2015-5380 (from r393186, head/lang/v8-devel/files/patch-CVE-2015-5380) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q3/lang/v8-devel/files/patch-CVE-2015-5380 Wed Jul 29 17:01:43 2015 (r393187, copy of r393186, head/lang/v8-devel/files/patch-CVE-2015-5380) @@ -0,0 +1,95 @@ +Backport of fix found here: +https://github.com/joyent/node/commit/78b0e30954111cfaba0edbeee85450d8cbc6fdf6 + +Note, this patch is modified to use ASSERT instead of DCHECK because +this version of node is from before the rename which happened here: +https://codereview.chromium.org/430503007 + +--- src/unicode-inl.h.orig 2013-05-01 12:56:29 UTC ++++ src/unicode-inl.h +@@ -168,6 +168,7 @@ unsigned Utf8::Length(uchar c, int previ + + Utf8DecoderBase::Utf8DecoderBase() + : unbuffered_start_(NULL), ++ unbuffered_length_(0), + utf16_length_(0), + last_byte_of_buffer_unused_(false) {} + +@@ -207,8 +208,7 @@ unsigned Utf8Decoder::Write + if (length <= buffer_length) return length; + ASSERT(unbuffered_start_ != NULL); + // Copy the rest the slow way. +- WriteUtf16Slow(unbuffered_start_, +- data + buffer_length, ++ WriteUtf16Slow(unbuffered_start_, unbuffered_length_, data + buffer_length, + length - buffer_length); + return length; + } +--- src/unicode.cc.orig 2013-05-01 12:56:29 UTC ++++ src/unicode.cc +@@ -284,6 +284,7 @@ void Utf8DecoderBase::Reset(uint16_t* bu + // Assume everything will fit in the buffer and stream won't be needed. + last_byte_of_buffer_unused_ = false; + unbuffered_start_ = NULL; ++ unbuffered_length_ = 0; + bool writing_to_buffer = true; + // Loop until stream is read, writing to buffer as long as buffer has space. + unsigned utf16_length = 0; +@@ -310,6 +311,7 @@ void Utf8DecoderBase::Reset(uint16_t* bu + // Just wrote last character of buffer + writing_to_buffer = false; + unbuffered_start_ = stream; ++ unbuffered_length_ = stream_length; + } + continue; + } +@@ -319,20 +321,24 @@ void Utf8DecoderBase::Reset(uint16_t* bu + writing_to_buffer = false; + last_byte_of_buffer_unused_ = true; + unbuffered_start_ = stream - cursor; ++ unbuffered_length_ = stream_length + cursor; + } + utf16_length_ = utf16_length; + } + + + void Utf8DecoderBase::WriteUtf16Slow(const uint8_t* stream, ++ unsigned stream_length, + uint16_t* data, + unsigned data_length) { + while (data_length != 0) { + unsigned cursor = 0; +- uint32_t character = Utf8::ValueOf(stream, Utf8::kMaxEncodedSize, &cursor); ++ ++ uint32_t character = Utf8::ValueOf(stream, stream_length, &cursor); + // There's a total lack of bounds checking for stream + // as it was already done in Reset. + stream += cursor; ++ stream_length -= cursor; + if (character > unibrow::Utf16::kMaxNonSurrogateCharCode) { + *data++ = Utf16::LeadSurrogate(character); + *data++ = Utf16::TrailSurrogate(character); +@@ -343,6 +349,7 @@ void Utf8DecoderBase::WriteUtf16Slow(con + data_length -= 1; + } + } ++ ASSERT(stream_length >= 0); + } + + +--- src/unicode.h.orig 2013-05-01 12:56:29 UTC ++++ src/unicode.h +@@ -184,10 +184,10 @@ class Utf8DecoderBase { + unsigned buffer_length, + const uint8_t* stream, + unsigned stream_length); +- static void WriteUtf16Slow(const uint8_t* stream, +- uint16_t* data, +- unsigned length); ++ static void WriteUtf16Slow(const uint8_t* stream, unsigned stream_length, ++ uint16_t* data, unsigned length); + const uint8_t* unbuffered_start_; ++ unsigned unbuffered_length_; + unsigned utf16_length_; + bool last_byte_of_buffer_unused_; + private: Modified: branches/2015Q3/lang/v8/Makefile ============================================================================== --- branches/2015Q3/lang/v8/Makefile Wed Jul 29 17:00:29 2015 (r393186) +++ branches/2015Q3/lang/v8/Makefile Wed Jul 29 17:01:43 2015 (r393187) @@ -3,6 +3,7 @@ PORTNAME= v8 PORTVERSION= 3.18.5 +PORTREVISION= 1 CATEGORIES= lang MASTER_SITES= LOCAL/vanilla