From owner-svn-ports-all@freebsd.org Wed Jul 29 16:41:11 2015 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 654299AC5C0; Wed, 29 Jul 2015 16:41:11 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 492412C1B; Wed, 29 Jul 2015 16:41:11 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t6TGfBgN028627; Wed, 29 Jul 2015 16:41:11 GMT (envelope-from feld@FreeBSD.org) Received: (from feld@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t6TGfAJR028625; Wed, 29 Jul 2015 16:41:10 GMT (envelope-from feld@FreeBSD.org) Message-Id: <201507291641.t6TGfAJR028625@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: feld set sender to feld@FreeBSD.org using -f From: Mark Felder Date: Wed, 29 Jul 2015 16:41:10 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r393181 - in head/devel: v8 v8-devel v8-devel/files v8/files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2015 16:41:11 -0000 Author: feld Date: Wed Jul 29 16:41:09 2015 New Revision: 393181 URL: https://svnweb.freebsd.org/changeset/ports/393181 Log: devel/v8, devel/v8-devel: Backport CVE fix This fix has been backported instead of upgrading to a newer release as the upstream release process is a complicated fast-moving target and the current ports are using custom snapshots created by the port maintainer. This will also limit the amount of potential fallout as we know the existing v8 port works well enough to keep mongodb up to date. PR: 201450 MFH: 2015Q3 Security: CVE-2015-5380 Security: 864e6f75-2372-11e5-86ff-14dae9d210b8 Added: head/devel/v8/ head/devel/v8-devel/ head/devel/v8-devel/files/ head/devel/v8-devel/files/patch-CVE-2015-5380 (contents, props changed) head/devel/v8/files/ head/devel/v8/files/patch-CVE-2015-5380 (contents, props changed) Added: head/devel/v8-devel/files/patch-CVE-2015-5380 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/devel/v8-devel/files/patch-CVE-2015-5380 Wed Jul 29 16:41:09 2015 (r393181) @@ -0,0 +1,95 @@ +Backport of fix found here: +https://github.com/joyent/node/commit/78b0e30954111cfaba0edbeee85450d8cbc6fdf6 + +Note, this patch is modified to use ASSERT instead of DCHECK because +this version of node is from before the rename which happened here: +https://codereview.chromium.org/430503007 + +--- src/unicode-inl.h.orig 2013-05-01 12:56:29 UTC ++++ src/unicode-inl.h +@@ -168,6 +168,7 @@ unsigned Utf8::Length(uchar c, int previ + + Utf8DecoderBase::Utf8DecoderBase() + : unbuffered_start_(NULL), ++ unbuffered_length_(0), + utf16_length_(0), + last_byte_of_buffer_unused_(false) {} + +@@ -207,8 +208,7 @@ unsigned Utf8Decoder::Write + if (length <= buffer_length) return length; + ASSERT(unbuffered_start_ != NULL); + // Copy the rest the slow way. +- WriteUtf16Slow(unbuffered_start_, +- data + buffer_length, ++ WriteUtf16Slow(unbuffered_start_, unbuffered_length_, data + buffer_length, + length - buffer_length); + return length; + } +--- src/unicode.cc.orig 2013-05-01 12:56:29 UTC ++++ src/unicode.cc +@@ -284,6 +284,7 @@ void Utf8DecoderBase::Reset(uint16_t* bu + // Assume everything will fit in the buffer and stream won't be needed. + last_byte_of_buffer_unused_ = false; + unbuffered_start_ = NULL; ++ unbuffered_length_ = 0; + bool writing_to_buffer = true; + // Loop until stream is read, writing to buffer as long as buffer has space. + unsigned utf16_length = 0; +@@ -310,6 +311,7 @@ void Utf8DecoderBase::Reset(uint16_t* bu + // Just wrote last character of buffer + writing_to_buffer = false; + unbuffered_start_ = stream; ++ unbuffered_length_ = stream_length; + } + continue; + } +@@ -319,20 +321,24 @@ void Utf8DecoderBase::Reset(uint16_t* bu + writing_to_buffer = false; + last_byte_of_buffer_unused_ = true; + unbuffered_start_ = stream - cursor; ++ unbuffered_length_ = stream_length + cursor; + } + utf16_length_ = utf16_length; + } + + + void Utf8DecoderBase::WriteUtf16Slow(const uint8_t* stream, ++ unsigned stream_length, + uint16_t* data, + unsigned data_length) { + while (data_length != 0) { + unsigned cursor = 0; +- uint32_t character = Utf8::ValueOf(stream, Utf8::kMaxEncodedSize, &cursor); ++ ++ uint32_t character = Utf8::ValueOf(stream, stream_length, &cursor); + // There's a total lack of bounds checking for stream + // as it was already done in Reset. + stream += cursor; ++ stream_length -= cursor; + if (character > unibrow::Utf16::kMaxNonSurrogateCharCode) { + *data++ = Utf16::LeadSurrogate(character); + *data++ = Utf16::TrailSurrogate(character); +@@ -343,6 +349,7 @@ void Utf8DecoderBase::WriteUtf16Slow(con + data_length -= 1; + } + } ++ ASSERT(stream_length >= 0); + } + + +--- src/unicode.h.orig 2013-05-01 12:56:29 UTC ++++ src/unicode.h +@@ -184,10 +184,10 @@ class Utf8DecoderBase { + unsigned buffer_length, + const uint8_t* stream, + unsigned stream_length); +- static void WriteUtf16Slow(const uint8_t* stream, +- uint16_t* data, +- unsigned length); ++ static void WriteUtf16Slow(const uint8_t* stream, unsigned stream_length, ++ uint16_t* data, unsigned length); + const uint8_t* unbuffered_start_; ++ unsigned unbuffered_length_; + unsigned utf16_length_; + bool last_byte_of_buffer_unused_; + private: Added: head/devel/v8/files/patch-CVE-2015-5380 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/devel/v8/files/patch-CVE-2015-5380 Wed Jul 29 16:41:09 2015 (r393181) @@ -0,0 +1,95 @@ +Backport of fix found here: +https://github.com/joyent/node/commit/78b0e30954111cfaba0edbeee85450d8cbc6fdf6 + +Note, this patch is modified to use ASSERT instead of DCHECK because +this version of node is from before the rename which happened here: +https://codereview.chromium.org/430503007 + +--- src/unicode-inl.h.orig 2013-05-01 12:56:29 UTC ++++ src/unicode-inl.h +@@ -168,6 +168,7 @@ unsigned Utf8::Length(uchar c, int previ + + Utf8DecoderBase::Utf8DecoderBase() + : unbuffered_start_(NULL), ++ unbuffered_length_(0), + utf16_length_(0), + last_byte_of_buffer_unused_(false) {} + +@@ -207,8 +208,7 @@ unsigned Utf8Decoder::Write + if (length <= buffer_length) return length; + ASSERT(unbuffered_start_ != NULL); + // Copy the rest the slow way. +- WriteUtf16Slow(unbuffered_start_, +- data + buffer_length, ++ WriteUtf16Slow(unbuffered_start_, unbuffered_length_, data + buffer_length, + length - buffer_length); + return length; + } +--- src/unicode.cc.orig 2013-05-01 12:56:29 UTC ++++ src/unicode.cc +@@ -284,6 +284,7 @@ void Utf8DecoderBase::Reset(uint16_t* bu + // Assume everything will fit in the buffer and stream won't be needed. + last_byte_of_buffer_unused_ = false; + unbuffered_start_ = NULL; ++ unbuffered_length_ = 0; + bool writing_to_buffer = true; + // Loop until stream is read, writing to buffer as long as buffer has space. + unsigned utf16_length = 0; +@@ -310,6 +311,7 @@ void Utf8DecoderBase::Reset(uint16_t* bu + // Just wrote last character of buffer + writing_to_buffer = false; + unbuffered_start_ = stream; ++ unbuffered_length_ = stream_length; + } + continue; + } +@@ -319,20 +321,24 @@ void Utf8DecoderBase::Reset(uint16_t* bu + writing_to_buffer = false; + last_byte_of_buffer_unused_ = true; + unbuffered_start_ = stream - cursor; ++ unbuffered_length_ = stream_length + cursor; + } + utf16_length_ = utf16_length; + } + + + void Utf8DecoderBase::WriteUtf16Slow(const uint8_t* stream, ++ unsigned stream_length, + uint16_t* data, + unsigned data_length) { + while (data_length != 0) { + unsigned cursor = 0; +- uint32_t character = Utf8::ValueOf(stream, Utf8::kMaxEncodedSize, &cursor); ++ ++ uint32_t character = Utf8::ValueOf(stream, stream_length, &cursor); + // There's a total lack of bounds checking for stream + // as it was already done in Reset. + stream += cursor; ++ stream_length -= cursor; + if (character > unibrow::Utf16::kMaxNonSurrogateCharCode) { + *data++ = Utf16::LeadSurrogate(character); + *data++ = Utf16::TrailSurrogate(character); +@@ -343,6 +349,7 @@ void Utf8DecoderBase::WriteUtf16Slow(con + data_length -= 1; + } + } ++ ASSERT(stream_length >= 0); + } + + +--- src/unicode.h.orig 2013-05-01 12:56:29 UTC ++++ src/unicode.h +@@ -184,10 +184,10 @@ class Utf8DecoderBase { + unsigned buffer_length, + const uint8_t* stream, + unsigned stream_length); +- static void WriteUtf16Slow(const uint8_t* stream, +- uint16_t* data, +- unsigned length); ++ static void WriteUtf16Slow(const uint8_t* stream, unsigned stream_length, ++ uint16_t* data, unsigned length); + const uint8_t* unbuffered_start_; ++ unsigned unbuffered_length_; + unsigned utf16_length_; + bool last_byte_of_buffer_unused_; + private: