diff --git a/cmake/external_libs/jpeg_turbo.cmake b/cmake/external_libs/jpeg_turbo.cmake index 95336633f40..e3c86c0ceaa 100644 --- a/cmake/external_libs/jpeg_turbo.cmake +++ b/cmake/external_libs/jpeg_turbo.cmake @@ -25,9 +25,13 @@ set(jpeg_turbo_LDFLAGS "-Wl,-z,relro,-z,now,-z,noexecstack,-s") set(jpeg_turbo_USE_STATIC_LIBS ON) set(JPEG_TURBO_PATCHE ${CMAKE_SOURCE_DIR}/third_party/patch/jpeg_turbo/jpeg_turbo.patch001) set(CMAKE_OPTION -DCMAKE_BUILD_TYPE=Release -DCMAKE_SKIP_RPATH=TRUE -DWITH_SIMD=ON) +set(CVE_2020_35538 ${CMAKE_SOURCE_DIR}/third_party/patch/jpeg_turbo/CVE-2020-35538.patch) +set(CVE_2021_46822 ${CMAKE_SOURCE_DIR}/third_party/patch/jpeg_turbo/CVE-2021-46822.patch) if(BUILD_LITE) set(jpeg_turbo_USE_STATIC_LIBS OFF) set(JPEG_TURBO_PATCHE ${TOP_DIR}/third_party/patch/jpeg_turbo/jpeg_turbo.patch001) + set(CVE_2020_35538 ${TOP_DIR}/third_party/patch/jpeg_turbo/CVE-2020-35538.patch) + set(CVE_2021_46822 ${TOP_DIR}/third_party/patch/jpeg_turbo/CVE-2021-46822.patch) if(ANDROID_NDK) # compile android on x86_64 env if(PLATFORM_ARM64) set(CMAKE_OPTION -DCMAKE_TOOLCHAIN_FILE=$ENV{ANDROID_NDK}/build/cmake/android.toolchain.cmake @@ -55,6 +59,8 @@ mindspore_add_pkg(jpeg_turbo MD5 ${MD5} CMAKE_OPTION ${CMAKE_OPTION} PATCHES ${JPEG_TURBO_PATCHE} + PATCHES ${CVE_2020_35538} + PATCHES ${CVE_2021_46822} ) include_directories(${jpeg_turbo_INC}) add_library(mindspore::jpeg_turbo ALIAS jpeg_turbo::jpeg) diff --git a/cmake/external_libs/sqlite.cmake b/cmake/external_libs/sqlite.cmake index ea43492d885..16a0bf262a7 100644 --- a/cmake/external_libs/sqlite.cmake +++ b/cmake/external_libs/sqlite.cmake @@ -43,6 +43,8 @@ else() LIBS sqlite3 URL ${REQ_URL} MD5 ${MD5} + PATCHES ${CMAKE_SOURCE_DIR}/third_party/patch/sqlite/CVE-2022-35737.patch + PATCHES ${CMAKE_SOURCE_DIR}/third_party/patch/sqlite/CVE-2021-36690.patch CONFIGURE_COMMAND ./configure --enable-shared=no --disable-tcl --disable-editline --enable-json1) endif() diff --git a/cmake/external_libs/zlib.cmake b/cmake/external_libs/zlib.cmake index e8fa2b0c5b2..3850c6c3c15 100644 --- a/cmake/external_libs/zlib.cmake +++ b/cmake/external_libs/zlib.cmake @@ -11,7 +11,9 @@ mindspore_add_pkg(zlib LIBS z URL ${REQ_URL} MD5 ${MD5} - CMAKE_OPTION -DCMAKE_BUILD_TYPE:STRING=Release) + CMAKE_OPTION -DCMAKE_BUILD_TYPE:STRING=Release + PATCHES ${CMAKE_SOURCE_DIR}/third_party/patch/zlib/CVE-2018-25032.patch + PATCHES ${CMAKE_SOURCE_DIR}/third_party/patch/zlib/CVE-2022-37434.patch) include_directories(${zlib_INC}) add_library(mindspore::z ALIAS zlib::z) diff --git a/mindspore/ccsrc/minddata/dataset/api/vision.cc b/mindspore/ccsrc/minddata/dataset/api/vision.cc index 4b50c96566d..74a627224ff 100644 --- a/mindspore/ccsrc/minddata/dataset/api/vision.cc +++ b/mindspore/ccsrc/minddata/dataset/api/vision.cc @@ -509,6 +509,7 @@ std::shared_ptr GaussianBlur::Parse() { #ifndef ENABLE_ANDROID // GetImageNumChannels Function. Status GetImageNumChannels(const mindspore::MSTensor &image, dsize_t *channels) { + RETURN_UNEXPECTED_IF_NULL(channels); std::shared_ptr input; Status rc = Tensor::CreateFromMSTensor(image, &input); if (rc.IsError()) { diff --git a/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/griffin_lim_ir.h b/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/griffin_lim_ir.h index bef970bbf9a..98c1864a8cf 100644 --- a/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/griffin_lim_ir.h +++ b/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/griffin_lim_ir.h @@ -34,7 +34,7 @@ class GriffinLimOperation : public TensorOperation { GriffinLimOperation(int32_t n_fft, int32_t n_iter, int32_t win_length, int32_t hop_length, WindowType window_type, float power, float momentum, int32_t length, bool rand_init); - ~GriffinLimOperation(); + ~GriffinLimOperation() override; std::shared_ptr Build() override; diff --git a/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/inverse_mel_scale_ir.h b/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/inverse_mel_scale_ir.h index ead179c8fa1..242e622b969 100644 --- a/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/inverse_mel_scale_ir.h +++ b/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/inverse_mel_scale_ir.h @@ -36,7 +36,7 @@ class InverseMelScaleOperation : public TensorOperation { int32_t max_iter, float tolerance_loss, float tolerance_change, const std::map &sgdargs, NormType norm, MelType mel_type); - ~InverseMelScaleOperation(); + ~InverseMelScaleOperation() override; std::shared_ptr Build() override; diff --git a/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/mask_along_axis_iid_ir.h b/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/mask_along_axis_iid_ir.h index 53dfd9e98d9..fcfdbaa7932 100644 --- a/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/mask_along_axis_iid_ir.h +++ b/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/mask_along_axis_iid_ir.h @@ -37,7 +37,7 @@ class MaskAlongAxisIIDOperation : public TensorOperation { public: MaskAlongAxisIIDOperation(int32_t mask_param, float mask_value, int32_t axis); - ~MaskAlongAxisIIDOperation(); + ~MaskAlongAxisIIDOperation() override; std::shared_ptr Build() override; diff --git a/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/mask_along_axis_ir.h b/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/mask_along_axis_ir.h index 54aebbf3239..07ba150c3c4 100644 --- a/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/mask_along_axis_ir.h +++ b/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/mask_along_axis_ir.h @@ -36,7 +36,7 @@ class MaskAlongAxisOperation : public TensorOperation { public: MaskAlongAxisOperation(int32_t mask_start, int32_t mask_width, float mask_value, int32_t axis); - ~MaskAlongAxisOperation(); + ~MaskAlongAxisOperation() override; std::shared_ptr Build() override; diff --git a/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/mel_scale_ir.h b/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/mel_scale_ir.h index b51e0989468..69606179da4 100644 --- a/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/mel_scale_ir.h +++ b/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/mel_scale_ir.h @@ -34,7 +34,7 @@ class MelScaleOperation : public TensorOperation { MelScaleOperation(int32_t n_mels, int32_t sample_rate, float f_min, float f_max, int32_t n_stft, NormType norm, MelType mel_type); - ~MelScaleOperation(); + ~MelScaleOperation() override; std::shared_ptr Build() override; diff --git a/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/vad_ir.h b/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/vad_ir.h index f175ef14e5c..ba0f571bad7 100644 --- a/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/vad_ir.h +++ b/mindspore/ccsrc/minddata/dataset/audio/ir/kernels/vad_ir.h @@ -36,7 +36,7 @@ class VadOperation : public TensorOperation { float noise_reduction_amount, float measure_freq, float measure_duration, float measure_smooth_time, float hp_filter_freq, float lp_filter_freq, float hp_lifter_freq, float lp_lifter_freq); - ~VadOperation(); + ~VadOperation() override; std::shared_ptr Build() override; diff --git a/mindspore/ccsrc/minddata/dataset/audio/kernels/audio_utils.cc b/mindspore/ccsrc/minddata/dataset/audio/kernels/audio_utils.cc index 48b1166d3ae..06cedc11d34 100644 --- a/mindspore/ccsrc/minddata/dataset/audio/kernels/audio_utils.cc +++ b/mindspore/ccsrc/minddata/dataset/audio/kernels/audio_utils.cc @@ -984,6 +984,8 @@ Status ComputeCmnWaveform(const std::shared_ptr &input, std::shared_ptr< auto cmn_it = reinterpret_cast(const_cast((*cmn_waveform_p)->GetBuffer())); it += (m * num_frames * num_feats + i * num_feats); cmn_it += (m * num_frames * num_feats + i * num_feats); + CHECK_FAIL_RETURN_UNEXPECTED(cmn_window_frames != 0, + "SlidingWindowCmn: invalid parameter, 'cmn_window_frames' can not be zero."); Eigen::Map(cmn_it, 1, num_feats) = Eigen::Map(it, 1, num_feats) - cur_sum.row(m) / cmn_window_frames; if (norm_vars) { @@ -1284,8 +1286,8 @@ Status Onesided(const std::shared_ptr &input, std::shared_ptr *o } template -Status PowerStft(const std::shared_ptr &input, std::shared_ptr *output, float power, int n_fft, - int n_columns, int n_length) { +Status PowerStft(const std::shared_ptr &input, std::shared_ptr *output, float power, int n_columns, + int n_length) { auto spec_f_begin = input->begin(); std::vector spec_f_slice = {n_length * n_columns * 2, n_columns * 2, 2}; std::vector spec_p_slice = {n_length * n_columns, n_columns}; @@ -1311,8 +1313,8 @@ Status PowerStft(const std::shared_ptr &input, std::shared_ptr * template Status Stft(const std::shared_ptr &input, std::shared_ptr *output, int n_fft, - const std::shared_ptr &win, int win_length, int hop_length, int n_columns, bool normalized, - float power, bool onesided) { + const std::shared_ptr &win, int win_length, int n_columns, bool normalized, float power, + bool onesided) { CHECK_FAIL_RETURN_UNEXPECTED(win_length != 0, "Spectrogram: win_length can not be zero."); double win_sum = 0.; float twice = 2.0; @@ -1390,7 +1392,7 @@ Status Stft(const std::shared_ptr &input, std::shared_ptr *outpu return Status::OK(); } RETURN_IF_NOT_OK(Tensor::CreateEmpty(TensorShape({input->shape()[0], n_fft, n_columns}), input->type(), &spec_p)); - RETURN_IF_NOT_OK(PowerStft(output_onsided, &spec_p, power, n_fft, n_columns, n_fft)); + RETURN_IF_NOT_OK(PowerStft(output_onsided, &spec_p, power, n_columns, n_fft)); *output = spec_p; return Status::OK(); } @@ -1398,7 +1400,7 @@ Status Stft(const std::shared_ptr &input, std::shared_ptr *outpu *output = spec_f; return Status::OK(); } - RETURN_IF_NOT_OK(PowerStft(spec_f, &spec_p, power, n_fft, n_columns, n_fft / TWO + 1)); + RETURN_IF_NOT_OK(PowerStft(spec_f, &spec_p, power, n_columns, n_fft / TWO + 1)); *output = spec_p; return Status::OK(); } @@ -1479,8 +1481,8 @@ Status SpectrogramImpl(const std::shared_ptr &input, std::shared_ptr(input_win, &stft_compute, n_fft, fft_window_later, n_fft, hop_length, n_columns, normalized, - power, onesided)); + RETURN_IF_NOT_OK( + Stft(input_win, &stft_compute, n_fft, fft_window_later, n_fft, n_columns, normalized, power, onesided)); if (onesided) { output_shape.push_back(n_fft / TWO + 1); } else { @@ -1687,7 +1689,7 @@ Status WindowSumSquare(const Eigen::MatrixXf &window_matrix, Eigen::VectorXf *wi /// \return Status code. template Status ISTFT(const Eigen::MatrixXcd &stft_matrix, std::shared_ptr *output, int32_t n_fft, int32_t hop_length, - int32_t win_length, WindowType window_type, bool center, bool normalized, bool onesided, int32_t length) { + int32_t win_length, WindowType window_type, bool center, int32_t length) { // check input CHECK_FAIL_RETURN_UNEXPECTED(n_fft == ((stft_matrix.rows() - 1) * 2), "GriffinLim: the frequency of the input should equal to n_fft / 2 + 1"); @@ -1837,8 +1839,7 @@ Status GriffinLimImpl(const std::shared_ptr &input, std::shared_ptr inverse; - RETURN_IF_NOT_OK( - ISTFT(stft_complex, &inverse, n_fft, hop_length, win_length, window_type, true, false, true, length)); + RETURN_IF_NOT_OK(ISTFT(stft_complex, &inverse, n_fft, hop_length, win_length, window_type, true, length)); // stft std::shared_ptr stft_out; RETURN_IF_NOT_OK(SpectrogramImpl(inverse, &stft_out, 0, window_type, n_fft, hop_length, win_length, 0, false, @@ -1869,8 +1870,7 @@ Status GriffinLimImpl(const std::shared_ptr &input, std::shared_ptr waveform; - RETURN_IF_NOT_OK( - ISTFT(stft_complex_fin, &waveform, n_fft, hop_length, win_length, window_type, true, false, true, length)); + RETURN_IF_NOT_OK(ISTFT(stft_complex_fin, &waveform, n_fft, hop_length, win_length, window_type, true, length)); if (shape.Rank() == TWO) { // do not expand dim @@ -2010,6 +2010,8 @@ template Status GetSincResampleKernel(int32_t orig_freq, int32_t des_freq, ResampleMethod resample_method, int32_t lowpass_filter_width, float rolloff, float beta, DataType datatype, std::shared_ptr *kernel, int32_t *width) { + CHECK_FAIL_RETURN_UNEXPECTED(orig_freq != 0, "Resample: invalid parameter, 'orig_freq' can not be zero."); + CHECK_FAIL_RETURN_UNEXPECTED(des_freq != 0, "Resample: invalid parameter, 'des_freq' can not be zero."); float base_freq = static_cast(std::min(orig_freq, des_freq)); // Removing the highest frequencies to perform antialiasing filtering. This is needed in both upsampling and // downsampling @@ -2138,6 +2140,7 @@ Status Resample(const std::shared_ptr &input, std::shared_ptr *o CHECK_FAIL_RETURN_UNEXPECTED(gcd != 0, "Resample: gcd cannet be equal to 0."); int32_t orig_freq_prime = static_cast(floor(orig_freq / gcd)); int32_t des_freq_prime = static_cast(floor(des_freq / gcd)); + CHECK_FAIL_RETURN_UNEXPECTED(orig_freq_prime != 0, "Resample: invalid parameter, 'orig_freq_prime' can not be zero."); std::shared_ptr kernel; int32_t width = 0; RETURN_IF_NOT_OK(GetSincResampleKernel(orig_freq_prime, des_freq_prime, resample_method, lowpass_filter_width, diff --git a/mindspore/ccsrc/minddata/dataset/engine/ir/datasetops/source/tf_record_node.cc b/mindspore/ccsrc/minddata/dataset/engine/ir/datasetops/source/tf_record_node.cc index 16f86372d72..ead057c70f5 100644 --- a/mindspore/ccsrc/minddata/dataset/engine/ir/datasetops/source/tf_record_node.cc +++ b/mindspore/ccsrc/minddata/dataset/engine/ir/datasetops/source/tf_record_node.cc @@ -115,7 +115,7 @@ void TFRecordNode::CheckLargeFile(const std::string &filename, std::ifstream *re << "The size of following TFRecord file is larger than 5G. There may be performance problems in " << "distributed scenarios. The file can be split into sub-files smaller than 5G to obtain better performance. " << "Large TFRecord file: " << filename; - large_files_.insert(filename); + (void)large_files_.insert(filename); } } } diff --git a/mindspore/ccsrc/minddata/dataset/kernels/image/lite_cv/image_process.cc b/mindspore/ccsrc/minddata/dataset/kernels/image/lite_cv/image_process.cc index febd9a38719..be605158adf 100644 --- a/mindspore/ccsrc/minddata/dataset/kernels/image/lite_cv/image_process.cc +++ b/mindspore/ccsrc/minddata/dataset/kernels/image/lite_cv/image_process.cc @@ -106,7 +106,7 @@ static bool ResizeBilinear3C(const unsigned char *src, int src_width, int src_he int *y_offset = data_buf + dst_width + dst_width; int16_t *x_weight = reinterpret_cast(data_buf + dst_width); - int16_t *y_weight = reinterpret_cast(x_weight + dst_width + dst_width + dst_height); + int16_t *y_weight = reinterpret_cast(data_buf + dst_width + dst_width + dst_height); if (!InitBilinearWeight(x_offset, x_weight, scale_width, dst_width, src_width, 3)) { delete[] data_buf; @@ -206,7 +206,7 @@ static bool ResizeBilinear1C(const unsigned char *src, int src_width, int src_he int *y_offset = data_buf + dst_width + dst_width; int16_t *x_weight = reinterpret_cast(data_buf + dst_width); - int16_t *y_weight = reinterpret_cast(x_weight + dst_width + dst_width + dst_height); + int16_t *y_weight = reinterpret_cast(data_buf + dst_width + dst_width + dst_height); if (!InitBilinearWeight(x_offset, x_weight, scale_width, dst_width, src_width, 1)) { delete[] data_buf; diff --git a/third_party/patch/jpeg_turbo/CVE-2020-35538.patch b/third_party/patch/jpeg_turbo/CVE-2020-35538.patch new file mode 100644 index 00000000000..2cbd1cd4275 --- /dev/null +++ b/third_party/patch/jpeg_turbo/CVE-2020-35538.patch @@ -0,0 +1,452 @@ +From 9120a247436e84c0b4eea828cb11e8f665fcde30 Mon Sep 17 00:00:00 2001 +From: DRC +Date: Thu, 23 Jul 2020 21:24:38 -0500 +Subject: [PATCH] Fix jpeg_skip_scanlines() segfault w/merged upsamp + +The additional segfault mentioned in #244 was due to the fact that +the merged upsamplers use a different private structure than the +non-merged upsamplers. jpeg_skip_scanlines() was assuming the latter, so +when merged upsampling was enabled, jpeg_skip_scanlines() clobbered one +of the IDCT method pointers in the merged upsampler's private structure. + +For reasons unknown, the test image in #441 did not encounter this +segfault (too small?), but it encountered an issue similar to the one +fixed in 5bc43c7821df982f65aa1c738f67fbf7cba8bd69, whereby it was +necessary to set up a dummy postprocessing function in +read_and_discard_scanlines() when merged upsampling was enabled. +Failing to do so caused either a segfault in merged_2v_upsample() (due +to a NULL pointer being passed to jcopy_sample_rows()) or an error +("Corrupt JPEG data: premature end of data segment"), depending on the +number of scanlines skipped and whether the first scanline skipped was +an odd- or even-numbered row. + +Fixes #441 +Fixes #244 (for real this time) +--- + ChangeLog.md | 6 +++++ + jdapistd.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++------ + jdmerge.c | 46 +++++++-------------------------- + jdmerge.h | 47 ++++++++++++++++++++++++++++++++++ + jdmrg565.c | 10 ++++---- + jdmrgext.c | 6 ++--- + 6 files changed, 134 insertions(+), 53 deletions(-) + create mode 100644 jdmerge.h + +diff --git a/ChangeLog.md b/ChangeLog.md +index 5f4ab7b8..2e4a3d88 100644 +--- a/ChangeLog.md ++++ b/ChangeLog.md +@@ -7,6 +7,12 @@ + platforms when using any of the YUV encoding/compression/decompression/decoding + methods in the TurboJPEG Java API. + ++2. Fixed segfaults or "Corrupt JPEG data: premature end of data segment" errors ++in `jpeg_skip_scanlines()` that occurred when decompressing 4:2:2 or 4:2:0 JPEG ++images using the merged (non-fancy) upsampling algorithms (that is, when ++setting `cinfo.do_fancy_upsampling` to `FALSE`.) 2.0.0[6] was a similar fix, ++but it did not cover all cases. ++ + + 2.0.5 + ===== +diff --git a/jdapistd.c b/jdapistd.c +index 2c808fa5..91da642d 100644 +--- a/jdapistd.c ++++ b/jdapistd.c +@@ -4,7 +4,7 @@ + * This file was part of the Independent JPEG Group's software: + * Copyright (C) 1994-1996, Thomas G. Lane. + * libjpeg-turbo Modifications: +- * Copyright (C) 2010, 2015-2018, D. R. Commander. ++ * Copyright (C) 2010, 2015-2018, 2020, D. R. Commander. + * Copyright (C) 2015, Google, Inc. + * For conditions of distribution and use, see the accompanying README.ijg + * file. +@@ -21,6 +21,8 @@ + #include "jinclude.h" + #include "jdmainct.h" + #include "jdcoefct.h" ++#include "jdmaster.h" ++#include "jdmerge.h" + #include "jdsample.h" + #include "jmemsys.h" + +@@ -304,6 +306,16 @@ noop_quantize(j_decompress_ptr cinfo, JSAMPARRAY input_buf, + } + + ++/* Dummy postprocessing function used by jpeg_skip_scanlines() */ ++LOCAL(void) ++noop_post_process (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, ++ JDIMENSION *in_row_group_ctr, ++ JDIMENSION in_row_groups_avail, JSAMPARRAY output_buf, ++ JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail) ++{ ++} ++ ++ + /* + * In some cases, it is best to call jpeg_read_scanlines() and discard the + * output, rather than skipping the scanlines, because this allows us to +@@ -316,11 +328,17 @@ LOCAL(void) + read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + { + JDIMENSION n; ++ my_master_ptr master = (my_master_ptr)cinfo->master; + void (*color_convert) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, + JDIMENSION input_row, JSAMPARRAY output_buf, + int num_rows) = NULL; + void (*color_quantize) (j_decompress_ptr cinfo, JSAMPARRAY input_buf, + JSAMPARRAY output_buf, int num_rows) = NULL; ++ void (*post_process_data) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, ++ JDIMENSION *in_row_group_ctr, ++ JDIMENSION in_row_groups_avail, ++ JSAMPARRAY output_buf, JDIMENSION *out_row_ctr, ++ JDIMENSION out_rows_avail) = NULL; + + if (cinfo->cconvert && cinfo->cconvert->color_convert) { + color_convert = cinfo->cconvert->color_convert; +@@ -332,6 +350,12 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + cinfo->cquantize->color_quantize = noop_quantize; + } + ++ if (master->using_merged_upsample && cinfo->post && ++ cinfo->post->post_process_data) { ++ post_process_data = cinfo->post->post_process_data; ++ cinfo->post->post_process_data = noop_post_process; ++ } ++ + for (n = 0; n < num_lines; n++) + jpeg_read_scanlines(cinfo, NULL, 1); + +@@ -340,6 +364,9 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + + if (color_quantize) + cinfo->cquantize->color_quantize = color_quantize; ++ ++ if (post_process_data) ++ cinfo->post->post_process_data = post_process_data; + } + + +@@ -382,7 +409,7 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + { + my_main_ptr main_ptr = (my_main_ptr)cinfo->main; + my_coef_ptr coef = (my_coef_ptr)cinfo->coef; +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_master_ptr master = (my_master_ptr)cinfo->master; + JDIMENSION i, x; + int y; + JDIMENSION lines_per_iMCU_row, lines_left_in_iMCU_row, lines_after_iMCU_row; +@@ -445,8 +472,16 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + main_ptr->buffer_full = FALSE; + main_ptr->rowgroup_ctr = 0; + main_ptr->context_state = CTX_PREPARE_FOR_IMCU; +- upsample->next_row_out = cinfo->max_v_samp_factor; +- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ if (master->using_merged_upsample) { ++ my_merged_upsample_ptr upsample = ++ (my_merged_upsample_ptr)cinfo->upsample; ++ upsample->spare_full = FALSE; ++ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ } else { ++ my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ upsample->next_row_out = cinfo->max_v_samp_factor; ++ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ } + } + + /* Skipping is much simpler when context rows are not required. */ +@@ -458,8 +493,16 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + cinfo->output_scanline += lines_left_in_iMCU_row; + main_ptr->buffer_full = FALSE; + main_ptr->rowgroup_ctr = 0; +- upsample->next_row_out = cinfo->max_v_samp_factor; +- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ if (master->using_merged_upsample) { ++ my_merged_upsample_ptr upsample = ++ (my_merged_upsample_ptr)cinfo->upsample; ++ upsample->spare_full = FALSE; ++ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ } else { ++ my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ upsample->next_row_out = cinfo->max_v_samp_factor; ++ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ } + } + } + +@@ -494,7 +537,14 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + cinfo->output_iMCU_row += lines_to_skip / lines_per_iMCU_row; + increment_simple_rowgroup_ctr(cinfo, lines_to_read); + } +- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ if (master->using_merged_upsample) { ++ my_merged_upsample_ptr upsample = ++ (my_merged_upsample_ptr)cinfo->upsample; ++ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ } else { ++ my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ } + return num_lines; + } + +@@ -535,7 +585,13 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines) + * bit odd, since "rows_to_go" seems to be redundantly keeping track of + * output_scanline. + */ +- upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ if (master->using_merged_upsample) { ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; ++ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ } else { ++ my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline; ++ } + + /* Always skip the requested number of lines. */ + return num_lines; +diff --git a/jdmerge.c b/jdmerge.c +index dff5a350..833ad675 100644 +--- a/jdmerge.c ++++ b/jdmerge.c +@@ -5,7 +5,7 @@ + * Copyright (C) 1994-1996, Thomas G. Lane. + * libjpeg-turbo Modifications: + * Copyright 2009 Pierre Ossman for Cendio AB +- * Copyright (C) 2009, 2011, 2014-2015, D. R. Commander. ++ * Copyright (C) 2009, 2011, 2014-2015, 2020, D. R. Commander. + * Copyright (C) 2013, Linaro Limited. + * For conditions of distribution and use, see the accompanying README.ijg + * file. +@@ -40,41 +40,13 @@ + #define JPEG_INTERNALS + #include "jinclude.h" + #include "jpeglib.h" ++#include "jdmerge.h" + #include "jsimd.h" + #include "jconfigint.h" + + #ifdef UPSAMPLE_MERGING_SUPPORTED + + +-/* Private subobject */ +- +-typedef struct { +- struct jpeg_upsampler pub; /* public fields */ +- +- /* Pointer to routine to do actual upsampling/conversion of one row group */ +- void (*upmethod) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, +- JDIMENSION in_row_group_ctr, JSAMPARRAY output_buf); +- +- /* Private state for YCC->RGB conversion */ +- int *Cr_r_tab; /* => table for Cr to R conversion */ +- int *Cb_b_tab; /* => table for Cb to B conversion */ +- JLONG *Cr_g_tab; /* => table for Cr to G conversion */ +- JLONG *Cb_g_tab; /* => table for Cb to G conversion */ +- +- /* For 2:1 vertical sampling, we produce two output rows at a time. +- * We need a "spare" row buffer to hold the second output row if the +- * application provides just a one-row buffer; we also use the spare +- * to discard the dummy last row if the image height is odd. +- */ +- JSAMPROW spare_row; +- boolean spare_full; /* T if spare buffer is occupied */ +- +- JDIMENSION out_row_width; /* samples per output row */ +- JDIMENSION rows_to_go; /* counts rows remaining in image */ +-} my_upsampler; +- +-typedef my_upsampler *my_upsample_ptr; +- + #define SCALEBITS 16 /* speediest right-shift on some machines */ + #define ONE_HALF ((JLONG)1 << (SCALEBITS - 1)) + #define FIX(x) ((JLONG)((x) * (1L << SCALEBITS) + 0.5)) +@@ -189,7 +161,7 @@ typedef my_upsampler *my_upsample_ptr; + LOCAL(void) + build_ycc_rgb_table(j_decompress_ptr cinfo) + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + int i; + JLONG x; + SHIFT_TEMPS +@@ -232,7 +204,7 @@ build_ycc_rgb_table(j_decompress_ptr cinfo) + METHODDEF(void) + start_pass_merged_upsample(j_decompress_ptr cinfo) + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + + /* Mark the spare buffer empty */ + upsample->spare_full = FALSE; +@@ -254,7 +226,7 @@ merged_2v_upsample(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, + JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail) + /* 2:1 vertical sampling case: may need a spare row. */ + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + JSAMPROW work_ptrs[2]; + JDIMENSION num_rows; /* number of rows returned to caller */ + +@@ -305,7 +277,7 @@ merged_1v_upsample(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, + JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail) + /* 1:1 vertical sampling case: much easier, never need a spare row. */ + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + + /* Just do the upsampling. */ + (*upsample->upmethod) (cinfo, input_buf, *in_row_group_ctr, +@@ -566,11 +538,11 @@ h2v2_merged_upsample_565D(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, + GLOBAL(void) + jinit_merged_upsampler(j_decompress_ptr cinfo) + { +- my_upsample_ptr upsample; ++ my_merged_upsample_ptr upsample; + +- upsample = (my_upsample_ptr) ++ upsample = (my_merged_upsample_ptr) + (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE, +- sizeof(my_upsampler)); ++ sizeof(my_merged_upsampler)); + cinfo->upsample = (struct jpeg_upsampler *)upsample; + upsample->pub.start_pass = start_pass_merged_upsample; + upsample->pub.need_context_rows = FALSE; +diff --git a/jdmerge.h b/jdmerge.h +new file mode 100644 +index 00000000..b583396b +--- /dev/null ++++ b/jdmerge.h +@@ -0,0 +1,47 @@ ++/* ++ * jdmerge.h ++ * ++ * This file was part of the Independent JPEG Group's software: ++ * Copyright (C) 1994-1996, Thomas G. Lane. ++ * libjpeg-turbo Modifications: ++ * Copyright (C) 2020, D. R. Commander. ++ * For conditions of distribution and use, see the accompanying README.ijg ++ * file. ++ */ ++ ++#define JPEG_INTERNALS ++#include "jpeglib.h" ++ ++#ifdef UPSAMPLE_MERGING_SUPPORTED ++ ++ ++/* Private subobject */ ++ ++typedef struct { ++ struct jpeg_upsampler pub; /* public fields */ ++ ++ /* Pointer to routine to do actual upsampling/conversion of one row group */ ++ void (*upmethod) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf, ++ JDIMENSION in_row_group_ctr, JSAMPARRAY output_buf); ++ ++ /* Private state for YCC->RGB conversion */ ++ int *Cr_r_tab; /* => table for Cr to R conversion */ ++ int *Cb_b_tab; /* => table for Cb to B conversion */ ++ JLONG *Cr_g_tab; /* => table for Cr to G conversion */ ++ JLONG *Cb_g_tab; /* => table for Cb to G conversion */ ++ ++ /* For 2:1 vertical sampling, we produce two output rows at a time. ++ * We need a "spare" row buffer to hold the second output row if the ++ * application provides just a one-row buffer; we also use the spare ++ * to discard the dummy last row if the image height is odd. ++ */ ++ JSAMPROW spare_row; ++ boolean spare_full; /* T if spare buffer is occupied */ ++ ++ JDIMENSION out_row_width; /* samples per output row */ ++ JDIMENSION rows_to_go; /* counts rows remaining in image */ ++} my_merged_upsampler; ++ ++typedef my_merged_upsampler *my_merged_upsample_ptr; ++ ++#endif /* UPSAMPLE_MERGING_SUPPORTED */ +diff --git a/jdmrg565.c b/jdmrg565.c +index 1b87e371..53f1e167 100644 +--- a/jdmrg565.c ++++ b/jdmrg565.c +@@ -5,7 +5,7 @@ + * Copyright (C) 1994-1996, Thomas G. Lane. + * libjpeg-turbo Modifications: + * Copyright (C) 2013, Linaro Limited. +- * Copyright (C) 2014-2015, 2018, D. R. Commander. ++ * Copyright (C) 2014-2015, 2018, 2020, D. R. Commander. + * For conditions of distribution and use, see the accompanying README.ijg + * file. + * +@@ -19,7 +19,7 @@ h2v1_merged_upsample_565_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, + JDIMENSION in_row_group_ctr, + JSAMPARRAY output_buf) + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + register int y, cred, cgreen, cblue; + int cb, cr; + register JSAMPROW outptr; +@@ -90,7 +90,7 @@ h2v1_merged_upsample_565D_internal(j_decompress_ptr cinfo, + JDIMENSION in_row_group_ctr, + JSAMPARRAY output_buf) + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + register int y, cred, cgreen, cblue; + int cb, cr; + register JSAMPROW outptr; +@@ -163,7 +163,7 @@ h2v2_merged_upsample_565_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, + JDIMENSION in_row_group_ctr, + JSAMPARRAY output_buf) + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + register int y, cred, cgreen, cblue; + int cb, cr; + register JSAMPROW outptr0, outptr1; +@@ -259,7 +259,7 @@ h2v2_merged_upsample_565D_internal(j_decompress_ptr cinfo, + JDIMENSION in_row_group_ctr, + JSAMPARRAY output_buf) + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + register int y, cred, cgreen, cblue; + int cb, cr; + register JSAMPROW outptr0, outptr1; +diff --git a/jdmrgext.c b/jdmrgext.c +index b1c27df5..c9a44d82 100644 +--- a/jdmrgext.c ++++ b/jdmrgext.c +@@ -4,7 +4,7 @@ + * This file was part of the Independent JPEG Group's software: + * Copyright (C) 1994-1996, Thomas G. Lane. + * libjpeg-turbo Modifications: +- * Copyright (C) 2011, 2015, D. R. Commander. ++ * Copyright (C) 2011, 2015, 2020, D. R. Commander. + * For conditions of distribution and use, see the accompanying README.ijg + * file. + * +@@ -25,7 +25,7 @@ h2v1_merged_upsample_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, + JDIMENSION in_row_group_ctr, + JSAMPARRAY output_buf) + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + register int y, cred, cgreen, cblue; + int cb, cr; + register JSAMPROW outptr; +@@ -97,7 +97,7 @@ h2v2_merged_upsample_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf, + JDIMENSION in_row_group_ctr, + JSAMPARRAY output_buf) + { +- my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample; ++ my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample; + register int y, cred, cgreen, cblue; + int cb, cr; + register JSAMPROW outptr0, outptr1; +-- +2.17.1 + diff --git a/third_party/patch/jpeg_turbo/CVE-2021-46822.patch b/third_party/patch/jpeg_turbo/CVE-2021-46822.patch new file mode 100644 index 00000000000..5fd5ef45837 --- /dev/null +++ b/third_party/patch/jpeg_turbo/CVE-2021-46822.patch @@ -0,0 +1,63 @@ +diff -Npur libjpeg-turbo-2.0.4/rdppm.c libjpeg-turbo-2.0.4-change/rdppm.c +--- libjpeg-turbo-2.0.4/rdppm.c 2019-12-31 15:10:30.000000000 +0800 ++++ libjpeg-turbo-2.0.4-change/rdppm.c 2022-07-28 05:33:19.254229939 +0800 +@@ -526,6 +526,11 @@ get_word_rgb_row(j_compress_ptr cinfo, c + register JSAMPLE *rescale = source->rescale; + JDIMENSION col; + unsigned int maxval = source->maxval; ++ register int rindex = rgb_red[cinfo->in_color_space]; ++ register int gindex = rgb_green[cinfo->in_color_space]; ++ register int bindex = rgb_blue[cinfo->in_color_space]; ++ register int aindex = alpha_index[cinfo->in_color_space]; ++ register int ps = rgb_pixelsize[cinfo->in_color_space]; + + if (!ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width)) + ERREXIT(cinfo, JERR_INPUT_EOF); +@@ -537,17 +542,20 @@ get_word_rgb_row(j_compress_ptr cinfo, c + temp |= UCH(*bufferptr++); + if (temp > maxval) + ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); +- *ptr++ = rescale[temp]; ++ ptr[rindex] = rescale[temp]; + temp = UCH(*bufferptr++) << 8; + temp |= UCH(*bufferptr++); + if (temp > maxval) + ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); +- *ptr++ = rescale[temp]; ++ ptr[gindex] = rescale[temp]; + temp = UCH(*bufferptr++) << 8; + temp |= UCH(*bufferptr++); + if (temp > maxval) + ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); +- *ptr++ = rescale[temp]; ++ ptr[bindex] = rescale[temp]; ++ if (aindex >= 0) ++ ptr[aindex] = 0xFF; ++ ptr += ps; + } + return 1; + } +@@ -634,7 +642,10 @@ start_input_ppm(j_compress_ptr cinfo, cj + cinfo->in_color_space = JCS_GRAYSCALE; + TRACEMS2(cinfo, 1, JTRC_PGM, w, h); + if (maxval > 255) { +- source->pub.get_pixel_rows = get_word_gray_row; ++ if (cinfo->in_color_space == JCS_GRAYSCALE) ++ source->pub.get_pixel_rows = get_word_gray_row; ++ else ++ ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE); + } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) && + cinfo->in_color_space == JCS_GRAYSCALE) { + source->pub.get_pixel_rows = get_raw_row; +@@ -657,7 +668,10 @@ start_input_ppm(j_compress_ptr cinfo, cj + cinfo->in_color_space = JCS_EXT_RGB; + TRACEMS2(cinfo, 1, JTRC_PPM, w, h); + if (maxval > 255) { +- source->pub.get_pixel_rows = get_word_rgb_row; ++ if (IsExtRGB(cinfo->in_color_space)) ++ source->pub.get_pixel_rows = get_word_rgb_row; ++ else ++ ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE); + } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) && + (cinfo->in_color_space == JCS_EXT_RGB + #if RGB_RED == 0 && RGB_GREEN == 1 && RGB_BLUE == 2 && RGB_PIXELSIZE == 3 diff --git a/third_party/patch/sqlite/CVE-2021-36690.patch b/third_party/patch/sqlite/CVE-2021-36690.patch new file mode 100644 index 00000000000..1e35aadd179 --- /dev/null +++ b/third_party/patch/sqlite/CVE-2021-36690.patch @@ -0,0 +1,44 @@ +diff -Npur sqlite-version-3.36.0/ext/expert/sqlite3expert.c sqlite-version-3.36.0-change/ext/expert/sqlite3expert.c +--- sqlite-version-3.36.0/ext/expert/sqlite3expert.c 2021-06-19 02:36:39.000000000 +0800 ++++ sqlite-version-3.36.0-change/ext/expert/sqlite3expert.c 2022-09-14 23:12:47.929831193 +0800 +@@ -690,11 +690,13 @@ static int idxGetTableInfo( + rc = idxPrintfPrepareStmt(db, &p1, pzErrmsg, "PRAGMA table_xinfo=%Q", zTab); + while( rc==SQLITE_OK && SQLITE_ROW==sqlite3_step(p1) ){ + const char *zCol = (const char*)sqlite3_column_text(p1, 1); ++ const char *zColSeq = 0; + nByte += 1 + STRLEN(zCol); + rc = sqlite3_table_column_metadata( +- db, "main", zTab, zCol, 0, &zCol, 0, 0, 0 ++ db, "main", zTab, zCol, 0, &zColSeq, 0, 0, 0 + ); +- nByte += 1 + STRLEN(zCol); ++ if( zColSeq==0 ) zColSeq = "binary"; ++ nByte += 1 + STRLEN(zColSeq); + nCol++; + nPk += (sqlite3_column_int(p1, 5)>0); + } +@@ -714,6 +716,7 @@ static int idxGetTableInfo( + nCol = 0; + while( rc==SQLITE_OK && SQLITE_ROW==sqlite3_step(p1) ){ + const char *zCol = (const char*)sqlite3_column_text(p1, 1); ++ const char *zColSeq = 0; + int nCopy = STRLEN(zCol) + 1; + pNew->aCol[nCol].zName = pCsr; + pNew->aCol[nCol].iPk = (sqlite3_column_int(p1, 5)==1 && nPk==1); +@@ -721,12 +724,13 @@ static int idxGetTableInfo( + pCsr += nCopy; + + rc = sqlite3_table_column_metadata( +- db, "main", zTab, zCol, 0, &zCol, 0, 0, 0 ++ db, "main", zTab, zCol, 0, &zColSeq, 0, 0, 0 + ); + if( rc==SQLITE_OK ){ +- nCopy = STRLEN(zCol) + 1; ++ if( zColSeq==0 ) zColSeq = "binary"; ++ nCopy = STRLEN(zColSeq) + 1; + pNew->aCol[nCol].zColl = pCsr; +- memcpy(pCsr, zCol, nCopy); ++ memcpy(pCsr, zColSeq, nCopy); + pCsr += nCopy; + } + diff --git a/third_party/patch/sqlite/CVE-2022-35737.patch b/third_party/patch/sqlite/CVE-2022-35737.patch new file mode 100644 index 00000000000..723eacf90ed --- /dev/null +++ b/third_party/patch/sqlite/CVE-2022-35737.patch @@ -0,0 +1,14 @@ +diff -Npur sqlite-version-3.32.2/src/printf.c sqlite-version-3.32.2-change/src/printf.c +--- sqlite-version-3.32.2/src/printf.c 2020-06-04 20:58:43.000000000 +0800 ++++ sqlite-version-3.32.2-change/src/printf.c 2022-08-17 05:52:17.869214453 +0800 +@@ -798,8 +798,8 @@ void sqlite3_str_vappendf( + case etSQLESCAPE: /* %q: Escape ' characters */ + case etSQLESCAPE2: /* %Q: Escape ' and enclose in '...' */ + case etSQLESCAPE3: { /* %w: Escape " characters */ +- int i, j, k, n, isnull; +- int needQuote; ++ i64 i, j, k, n; ++ int needQuote, isnull; + char ch; + char q = ((xtype==etSQLESCAPE3)?'"':'\''); /* Quote character */ + char *escarg; diff --git a/third_party/patch/zlib/CVE-2018-25032.patch b/third_party/patch/zlib/CVE-2018-25032.patch new file mode 100644 index 00000000000..25fee45a8fa --- /dev/null +++ b/third_party/patch/zlib/CVE-2018-25032.patch @@ -0,0 +1,309 @@ +diff -Npur zlib-1.2.11/deflate.c zlib-1.2.11-change/deflate.c +--- zlib-1.2.11/deflate.c 2017-01-16 01:29:40.000000000 +0800 ++++ zlib-1.2.11-change/deflate.c 2022-07-28 04:48:30.310281281 +0800 +@@ -252,10 +252,6 @@ int ZEXPORT deflateInit2_(strm, level, m + int wrap = 1; + static const char my_version[] = ZLIB_VERSION; + +- ushf *overlay; +- /* We overlay pending_buf and d_buf+l_buf. This works since the average +- * output size for (length,distance) codes is <= 24 bits. +- */ + + if (version == Z_NULL || version[0] != my_version[0] || + stream_size != sizeof(z_stream)) { +@@ -326,9 +322,47 @@ int ZEXPORT deflateInit2_(strm, level, m + + s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */ + +- overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2); +- s->pending_buf = (uchf *) overlay; +- s->pending_buf_size = (ulg)s->lit_bufsize * (sizeof(ush)+2L); ++ /* We overlay pending_buf and sym_buf. This works since the average size ++ * for length/distance pairs over any compressed block is assured to be 31 ++ * bits or less. ++ * ++ * Analysis: The longest fixed codes are a length code of 8 bits plus 5 ++ * extra bits, for lengths 131 to 257. The longest fixed distance codes are ++ * 5 bits plus 13 extra bits, for distances 16385 to 32768. The longest ++ * possible fixed-codes length/distance pair is then 31 bits total. ++ * ++ * sym_buf starts one-fourth of the way into pending_buf. So there are ++ * three bytes in sym_buf for every four bytes in pending_buf. Each symbol ++ * in sym_buf is three bytes -- two for the distance and one for the ++ * literal/length. As each symbol is consumed, the pointer to the next ++ * sym_buf value to read moves forward three bytes. From that symbol, up to ++ * 31 bits are written to pending_buf. The closest the written pending_buf ++ * bits gets to the next sym_buf symbol to read is just before the last ++ * code is written. At that time, 31*(n-2) bits have been written, just ++ * after 24*(n-2) bits have been consumed from sym_buf. sym_buf starts at ++ * 8*n bits into pending_buf. (Note that the symbol buffer fills when n-1 ++ * symbols are written.) The closest the writing gets to what is unread is ++ * then n+14 bits. Here n is lit_bufsize, which is 16384 by default, and ++ * can range from 128 to 32768. ++ * ++ * Therefore, at a minimum, there are 142 bits of space between what is ++ * written and what is read in the overlain buffers, so the symbols cannot ++ * be overwritten by the compressed data. That space is actually 139 bits, ++ * due to the three-bit fixed-code block header. ++ * ++ * That covers the case where either Z_FIXED is specified, forcing fixed ++ * codes, or when the use of fixed codes is chosen, because that choice ++ * results in a smaller compressed block than dynamic codes. That latter ++ * condition then assures that the above analysis also covers all dynamic ++ * blocks. A dynamic-code block will only be chosen to be emitted if it has ++ * fewer bits than a fixed-code block would for the same set of symbols. ++ * Therefore its average symbol length is assured to be less than 31. So ++ * the compressed data for a dynamic block also cannot overwrite the ++ * symbols from which it is being constructed. ++ */ ++ ++ s->pending_buf = (uchf *) ZALLOC(strm, s->lit_bufsize, 4); ++ s->pending_buf_size = (ulg)s->lit_bufsize * 4; + + if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL || + s->pending_buf == Z_NULL) { +@@ -337,8 +371,12 @@ int ZEXPORT deflateInit2_(strm, level, m + deflateEnd (strm); + return Z_MEM_ERROR; + } +- s->d_buf = overlay + s->lit_bufsize/sizeof(ush); +- s->l_buf = s->pending_buf + (1+sizeof(ush))*s->lit_bufsize; ++ s->sym_buf = s->pending_buf + s->lit_bufsize; ++ s->sym_end = (s->lit_bufsize - 1) * 3; ++ /* We avoid equality with lit_bufsize*3 because of wraparound at 64K ++ * on 16 bit machines and because stored blocks are restricted to ++ * 64K-1 bytes. ++ */ + + s->level = level; + s->strategy = strategy; +@@ -549,7 +587,7 @@ int ZEXPORT deflatePrime (strm, bits, va + + if (deflateStateCheck(strm)) return Z_STREAM_ERROR; + s = strm->state; +- if ((Bytef *)(s->d_buf) < s->pending_out + ((Buf_size + 7) >> 3)) ++ if (s->sym_buf < s->pending_out + ((Buf_size + 7) >> 3)) + return Z_BUF_ERROR; + do { + put = Buf_size - s->bi_valid; +@@ -1108,7 +1146,6 @@ int ZEXPORT deflateCopy (dest, source) + #else + deflate_state *ds; + deflate_state *ss; +- ushf *overlay; + + + if (deflateStateCheck(source) || dest == Z_NULL) { +@@ -1128,8 +1165,7 @@ int ZEXPORT deflateCopy (dest, source) + ds->window = (Bytef *) ZALLOC(dest, ds->w_size, 2*sizeof(Byte)); + ds->prev = (Posf *) ZALLOC(dest, ds->w_size, sizeof(Pos)); + ds->head = (Posf *) ZALLOC(dest, ds->hash_size, sizeof(Pos)); +- overlay = (ushf *) ZALLOC(dest, ds->lit_bufsize, sizeof(ush)+2); +- ds->pending_buf = (uchf *) overlay; ++ ds->pending_buf = (uchf *) ZALLOC(dest, ds->lit_bufsize, 4); + + if (ds->window == Z_NULL || ds->prev == Z_NULL || ds->head == Z_NULL || + ds->pending_buf == Z_NULL) { +@@ -1143,8 +1179,7 @@ int ZEXPORT deflateCopy (dest, source) + zmemcpy(ds->pending_buf, ss->pending_buf, (uInt)ds->pending_buf_size); + + ds->pending_out = ds->pending_buf + (ss->pending_out - ss->pending_buf); +- ds->d_buf = overlay + ds->lit_bufsize/sizeof(ush); +- ds->l_buf = ds->pending_buf + (1+sizeof(ush))*ds->lit_bufsize; ++ ds->sym_buf = ds->pending_buf + ds->lit_bufsize; + + ds->l_desc.dyn_tree = ds->dyn_ltree; + ds->d_desc.dyn_tree = ds->dyn_dtree; +@@ -1912,7 +1947,7 @@ local block_state deflate_fast(s, flush) + FLUSH_BLOCK(s, 1); + return finish_done; + } +- if (s->last_lit) ++ if (s->sym_next) + FLUSH_BLOCK(s, 0); + return block_done; + } +@@ -2043,7 +2078,7 @@ local block_state deflate_slow(s, flush) + FLUSH_BLOCK(s, 1); + return finish_done; + } +- if (s->last_lit) ++ if (s->sym_next) + FLUSH_BLOCK(s, 0); + return block_done; + } +@@ -2118,7 +2153,7 @@ local block_state deflate_rle(s, flush) + FLUSH_BLOCK(s, 1); + return finish_done; + } +- if (s->last_lit) ++ if (s->sym_next) + FLUSH_BLOCK(s, 0); + return block_done; + } +@@ -2157,7 +2192,7 @@ local block_state deflate_huff(s, flush) + FLUSH_BLOCK(s, 1); + return finish_done; + } +- if (s->last_lit) ++ if (s->sym_next) + FLUSH_BLOCK(s, 0); + return block_done; + } +diff -Npur zlib-1.2.11/deflate.h zlib-1.2.11-change/deflate.h +--- zlib-1.2.11/deflate.h 2017-01-01 15:37:10.000000000 +0800 ++++ zlib-1.2.11-change/deflate.h 2022-07-28 04:42:55.134287681 +0800 +@@ -217,7 +217,7 @@ typedef struct internal_state { + /* Depth of each subtree used as tie breaker for trees of equal frequency + */ + +- uchf *l_buf; /* buffer for literals or lengths */ ++ uchf *sym_buf; /* buffer for distances and literals/lengths */ + + uInt lit_bufsize; + /* Size of match buffer for literals/lengths. There are 4 reasons for +@@ -239,13 +239,8 @@ typedef struct internal_state { + * - I can't count above 4 + */ + +- uInt last_lit; /* running index in l_buf */ +- +- ushf *d_buf; +- /* Buffer for distances. To simplify the code, d_buf and l_buf have +- * the same number of elements. To use different lengths, an extra flag +- * array would be necessary. +- */ ++ uInt sym_next; /* running index in sym_buf */ ++ uInt sym_end; /* symbol table full when sym_next reaches this */ + + ulg opt_len; /* bit length of current block with optimal trees */ + ulg static_len; /* bit length of current block with static trees */ +@@ -325,20 +320,22 @@ void ZLIB_INTERNAL _tr_stored_block OF(( + + # define _tr_tally_lit(s, c, flush) \ + { uch cc = (c); \ +- s->d_buf[s->last_lit] = 0; \ +- s->l_buf[s->last_lit++] = cc; \ ++ s->sym_buf[s->sym_next++] = 0; \ ++ s->sym_buf[s->sym_next++] = 0; \ ++ s->sym_buf[s->sym_next++] = cc; \ + s->dyn_ltree[cc].Freq++; \ +- flush = (s->last_lit == s->lit_bufsize-1); \ ++ flush = (s->sym_next == s->sym_end); \ + } + # define _tr_tally_dist(s, distance, length, flush) \ + { uch len = (uch)(length); \ + ush dist = (ush)(distance); \ +- s->d_buf[s->last_lit] = dist; \ +- s->l_buf[s->last_lit++] = len; \ ++ s->sym_buf[s->sym_next++] = dist; \ ++ s->sym_buf[s->sym_next++] = dist >> 8; \ ++ s->sym_buf[s->sym_next++] = len; \ + dist--; \ + s->dyn_ltree[_length_code[len]+LITERALS+1].Freq++; \ + s->dyn_dtree[d_code(dist)].Freq++; \ +- flush = (s->last_lit == s->lit_bufsize-1); \ ++ flush = (s->sym_next == s->sym_end); \ + } + #else + # define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c) +diff -Npur zlib-1.2.11/trees.c zlib-1.2.11-change/trees.c +--- zlib-1.2.11/trees.c 2017-01-16 01:07:14.000000000 +0800 ++++ zlib-1.2.11-change/trees.c 2022-07-28 05:00:04.094268034 +0800 +@@ -416,7 +416,7 @@ local void init_block(s) + + s->dyn_ltree[END_BLOCK].Freq = 1; + s->opt_len = s->static_len = 0L; +- s->last_lit = s->matches = 0; ++ s->sym_next = s->matches = 0; + } + + #define SMALLEST 1 +@@ -947,7 +947,7 @@ void ZLIB_INTERNAL _tr_flush_block(s, bu + + Tracev((stderr, "\nopt %lu(%lu) stat %lu(%lu) stored %lu lit %u ", + opt_lenb, s->opt_len, static_lenb, s->static_len, stored_len, +- s->last_lit)); ++ s->sym_next / 3)); + + if (static_lenb <= opt_lenb) opt_lenb = static_lenb; + +@@ -1016,8 +1016,9 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc + unsigned dist; /* distance of matched string */ + unsigned lc; /* match length-MIN_MATCH or unmatched char (if dist==0) */ + { +- s->d_buf[s->last_lit] = (ush)dist; +- s->l_buf[s->last_lit++] = (uch)lc; ++ s->sym_buf[s->sym_next++] = dist; ++ s->sym_buf[s->sym_next++] = dist >> 8; ++ s->sym_buf[s->sym_next++] = lc; + if (dist == 0) { + /* lc is the unmatched char */ + s->dyn_ltree[lc].Freq++; +@@ -1032,30 +1033,7 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc + s->dyn_ltree[_length_code[lc]+LITERALS+1].Freq++; + s->dyn_dtree[d_code(dist)].Freq++; + } +- +-#ifdef TRUNCATE_BLOCK +- /* Try to guess if it is profitable to stop the current block here */ +- if ((s->last_lit & 0x1fff) == 0 && s->level > 2) { +- /* Compute an upper bound for the compressed length */ +- ulg out_length = (ulg)s->last_lit*8L; +- ulg in_length = (ulg)((long)s->strstart - s->block_start); +- int dcode; +- for (dcode = 0; dcode < D_CODES; dcode++) { +- out_length += (ulg)s->dyn_dtree[dcode].Freq * +- (5L+extra_dbits[dcode]); +- } +- out_length >>= 3; +- Tracev((stderr,"\nlast_lit %u, in %ld, out ~%ld(%ld%%) ", +- s->last_lit, in_length, out_length, +- 100L - out_length*100L/in_length)); +- if (s->matches < s->last_lit/2 && out_length < in_length/2) return 1; +- } +-#endif +- return (s->last_lit == s->lit_bufsize-1); +- /* We avoid equality with lit_bufsize because of wraparound at 64K +- * on 16 bit machines and because stored blocks are restricted to +- * 64K-1 bytes. +- */ ++ return (s->sym_next == s->sym_end); + } + + /* =========================================================================== +@@ -1068,13 +1046,14 @@ local void compress_block(s, ltree, dtre + { + unsigned dist; /* distance of matched string */ + int lc; /* match length or unmatched char (if dist == 0) */ +- unsigned lx = 0; /* running index in l_buf */ ++ unsigned sx = 0; /* running index in sym_buf */ + unsigned code; /* the code to send */ + int extra; /* number of extra bits to send */ + +- if (s->last_lit != 0) do { +- dist = s->d_buf[lx]; +- lc = s->l_buf[lx++]; ++ if (s->sym_next != 0) do { ++ dist = s->sym_buf[sx++] & 0xff; ++ dist += (unsigned)(s->sym_buf[sx++] & 0xff) << 8; ++ lc = s->sym_buf[sx++]; + if (dist == 0) { + send_code(s, lc, ltree); /* send a literal byte */ + Tracecv(isgraph(lc), (stderr," '%c' ", lc)); +@@ -1099,11 +1078,10 @@ local void compress_block(s, ltree, dtre + } + } /* literal or match pair ? */ + +- /* Check that the overlay between pending_buf and d_buf+l_buf is ok: */ +- Assert((uInt)(s->pending) < s->lit_bufsize + 2*lx, +- "pendingBuf overflow"); ++ /* Check that the overlay between pending_buf and sym_buf is ok: */ ++ Assert(s->pending < s->lit_bufsize + sx, "pendingBuf overflow"); + +- } while (lx < s->last_lit); ++ } while (sx < s->sym_next); + + send_code(s, END_BLOCK, ltree); + } diff --git a/third_party/patch/zlib/CVE-2022-37434.patch b/third_party/patch/zlib/CVE-2022-37434.patch new file mode 100644 index 00000000000..186e5e3e684 --- /dev/null +++ b/third_party/patch/zlib/CVE-2022-37434.patch @@ -0,0 +1,15 @@ +diff -Npur zlib-1.2.11/inflate.c zlib-1.2.11-change/inflate.c +--- zlib-1.2.11/inflate.c 2017-01-01 15:37:10.000000000 +0800 ++++ zlib-1.2.11-change/inflate.c 2022-08-17 06:25:06.033176873 +0800 +@@ -759,8 +759,9 @@ int flush; + if (copy > have) copy = have; + if (copy) { + if (state->head != Z_NULL && +- state->head->extra != Z_NULL) { +- len = state->head->extra_len - state->length; ++ state->head->extra != Z_NULL && ++ (len = state->head->extra_len - state->length) < ++ state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy);