[Backport] Security bug 1184294

zetafunction · mibrunin · commit b547d6aa85b9 · 2021-09-03T12:04:45.000Z
Manual backport (subdirectory update) of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2803936: Roll xdg-mime to 722325fba8968a26eb243642cbe89a044d6dfd6c. $ git log 2cdd8d36d..722325fba --date=short --no-merges --format='%ad %ae %s' 2021-03-18 kdudka@redhat.com Fix fd leak in error path 2021-01-06 hadess@hadess.net ci: Add CI 2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warnings in src/xdgmimecache.c 2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warnings in src/xdgmimecache.c:__gio_xdg_cache_list_mime_parents() 2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warning in src/xdgmimecache.c:__gio_xdg_cache_mime_type_subclass() 2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warning in src/xdgmimecache.c:cache_glob_node_lookup_suffix() 2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warning in rc/xdgmimecache.c:cache_glob_lookup_fnmatch() 2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warning in src/xdgmimecache.c:cache_magic_compare_to_data() 2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warning in src/xdgmimecache.c:cache_magic_matchlet_compare() 2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warnings in src/xdgmimecache.c:cache_magic_matchlet_compare_to_data() 2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warnings in src/xdgmimemagic.c:_xdg_mime_magic_matchlet_compare_to_data() 2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warnings in src/xdgmimemagic.c:_xdg_mime_magic_parse_magic_line() 2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warning in src/xdgmimeint.c 2020-12-27 faure@kde.org Fix fallback after multiple matching globs 2020-12-27 faure@kde.org Fix usage information for print-mime-data 2019-06-03 withnall@endlessm.com xdgmime: Don’t set an out argument if it’s NULL 2018-11-19 ville.skytta@iki.fi Comment grammar fix 2018-07-16 mcatanzaro@igalia.com Fix buffer underflow in __gio_xdg_cache_mime_type_subclass() 2018-07-16 mcatanzaro@igalia.com Fix special case for mime_type_subclass 2018-07-16 mcatanzaro@igalia.com Handle EINTR in open() 2018-07-16 mcatanzaro@igalia.com Don't forget to free resources on an early return 2018-07-16 mcatanzaro@igalia.com Fix void pointer arithmetic in cache_magic_matchlet_compare_to_data() 2018-07-16 mcatanzaro@igalia.com Fix use after free in xdg_mime_get_mime_type_for_file 2018-07-16 mcatanzaro@igalia.com Add space before paren in _xdg_mime_cache_get_mime_type_for_file 2018-06-30 mcatanzaro@igalia.com build: Add a .gitignore 2018-06-17 ville.skytta@iki.fi Spelling fixes 2017-09-05 hadess@hadess.net Check further into the file whether it is text or binary 2013-01-07 hadess@hadess.net tests: Fix current test-mime failures 2013-01-07 hadess@hadess.net tests: Make test-mime failures fatal 2013-01-07 hadess@hadess.net tests: Mime-types are not case-sensitive 2012-09-27 hadess@hadess.net Ignore non-regular files in print-mime-data 2012-09-25 hadess@hadess.net Add print-mime-data program Fixed: 1184294 Change-Id: I74717bb13d49088b18bd88404c7cf7b8032a7d99 Reviewed-by: Adrian Taylor <adetaylor@chromium.org> Reviewed-by: Thomas Anderson <thomasanderson@chromium.org> Commit-Queue: Daniel Cheng <dcheng@chromium.org> Cr-Commit-Position: refs/heads/master@{#871055} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> (cherry picked from commit 2327f83)
diff --git a/chromium/base/third_party/xdg_mime/README b/chromium/base/third_party/xdg_mime/README
@@ -1,5 +1,5 @@
 This module is a simple module that parses the proposed MIME spec listed
-at http://freedesktop.org/.  It is currently targetted at version 0.12.
+at http://freedesktop.org/.  It is currently targeted at version 0.12.
 There are no formal releases planned for this module, and it is not
 intended to be installed at this time.  Rather, it is meant to be used
 by other libraries or applications to add support for the MIME system.
diff --git a/chromium/base/third_party/xdg_mime/README.chromium b/chromium/base/third_party/xdg_mime/README.chromium
@@ -1,14 +1,12 @@
 Name: xdg-mime
-URL: http://freedesktop.org
+URL: https://gitlab.freedesktop.org/xdg/xdgmime
+Version: 722325fba8968a26eb243642cbe89a044d6dfd6c
+CPEPrefix: unknown
 License: Academic Free License version 2.0 or LGPL v2
+Security critical: yes
 
-The code in this directory is synced from:
-git://anongit.freedesktop.org/xdg/xdgmime
-@ 2cdd8d36d7930d5a594587286cb1949ff62f7027 on 2012/08/06.
+Run //base/third_party/xdg_mime/roll.py to update this dependency.
 
-In addition, we have the following patch(es):
-  - compile.patch: small tweaks to make the code compile.
-  - free_pointer_later.patch: small patch that fixes potential crash in
-      xdg_mime_get_mime_type_for_file() - use of pointer after being freed.
-  - function_casts.patch: fix bad function casts.
-  - Added a LICENSE file.
+Patches:
+- 000-have-mmap.patch: enable code guarded with HAVE_MMAP since
+  Chrome does not run autoconf.
diff --git a/chromium/base/third_party/xdg_mime/xdgmime.c b/chromium/base/third_party/xdg_mime/xdgmime.c
@@ -136,7 +136,7 @@ xdg_dir_time_list_free (XdgDirTimeList *list)
 }
 
 static int
-xdg_mime_init_from_directory (const char *directory, void *user_data)
+xdg_mime_init_from_directory (const char *directory)
 {
   char *file_name;
   struct stat st;
@@ -340,9 +340,8 @@ xdg_check_file (const char *file_path,
 
 static int
 xdg_check_dir (const char *directory,
-	       void       *user_data)
+	       int        *invalid_dir_list)
 {
-  int *invalid_dir_list = user_data;
   int invalid, exists;
   char *file_name;
 
@@ -399,7 +398,8 @@ xdg_check_dirs (void)
   for (list = dir_time_list; list; list = list->next)
     list->checked = XDG_CHECKED_UNCHECKED;
 
-  xdg_run_command_on_dirs (xdg_check_dir, &invalid_dir_list);
+  xdg_run_command_on_dirs ((XdgDirectoryFunc) xdg_check_dir,
+			   &invalid_dir_list);
 
   if (invalid_dir_list)
     return TRUE;
@@ -455,7 +455,8 @@ xdg_mime_init (void)
       icon_list = _xdg_mime_icon_list_new ();
       generic_icon_list = _xdg_mime_icon_list_new ();
 
-      xdg_run_command_on_dirs (xdg_mime_init_from_directory, NULL);
+      xdg_run_command_on_dirs ((XdgDirectoryFunc) xdg_mime_init_from_directory,
+			       NULL);
 
       need_reread = FALSE;
     }
@@ -470,7 +471,8 @@ xdg_mime_get_mime_type_for_data (const void *data,
 
   if (len == 0)
     {
-      *result_prio = 100;
+      if (result_prio != NULL)
+        *result_prio = 100;
       return XDG_MIME_TYPE_EMPTY;
     }
 
@@ -557,12 +559,12 @@ xdg_mime_get_mime_type_for_file (const char  *file_name,
   mime_type = _xdg_mime_magic_lookup_data (global_magic, data, bytes_read, NULL,
 					   mime_types, n);
 
-  fclose (file);
-
   if (!mime_type)
-    mime_type = _xdg_binary_or_text_fallback(data, bytes_read);
+    mime_type = _xdg_binary_or_text_fallback (data, bytes_read);
 
   free (data);
+  fclose (file);
+
   return mime_type;
 }
 
@@ -740,19 +742,28 @@ xdg_mime_media_type_equal (const char *mime_a,
 
 #if 1
 static int
-xdg_mime_is_super_type (const char *mime)
+ends_with (const char *str,
+           const char *suffix)
 {
   int length;
-  const char *type;
+  int suffix_length;
 
-  length = strlen (mime);
-  type = &(mime[length - 2]);
+  length = strlen (str);
+  suffix_length = strlen (suffix);
+  if (length < suffix_length)
+    return 0;
 
-  if (strcmp (type, "/*") == 0)
+  if (strcmp (str + length - suffix_length, suffix) == 0)
     return 1;
 
   return 0;
 }
+
+static int
+xdg_mime_is_super_type (const char *mime)
+{
+  return ends_with (mime, "/*");
+}
 #endif
 
 int
@@ -783,7 +794,8 @@ _xdg_mime_mime_type_subclass (const char *mime,
       strncmp (umime, "text/", 5) == 0)
     return 1;
 
-  if (strcmp (ubase, "application/octet-stream") == 0)
+  if (strcmp (ubase, "application/octet-stream") == 0 &&
+      strncmp (umime, "inode/", 6) != 0)
     return 1;
   
   parents = _xdg_mime_parent_list_lookup (parent_list, umime);
diff --git a/chromium/base/third_party/xdg_mime/xdgmimecache.c b/chromium/base/third_party/xdg_mime/xdgmimecache.c
@@ -34,6 +34,7 @@
 
 #include <fcntl.h>
 #include <unistd.h>
+#include <errno.h>
 #include <fnmatch.h>
 #include <assert.h>
 
@@ -122,7 +123,9 @@ _xdg_mime_cache_new_from_file (const char *file_name)
   int minor;
 
   /* Open the file and map it into memory */
-  fd = open (file_name, O_RDONLY|_O_BINARY, 0);
+  do {
+    fd = open (file_name, O_RDONLY|_O_BINARY, 0);
+  } while (fd == -1 && errno == EINTR);
 
   if (fd < 0)
     return NULL;
@@ -173,7 +176,7 @@ cache_magic_matchlet_compare_to_data (XdgMimeCache *cache,
   xdg_uint32_t data_offset = GET_UINT32 (cache->buffer, offset + 16);
   xdg_uint32_t mask_offset = GET_UINT32 (cache->buffer, offset + 20);
   
-  int i, j;
+  xdg_uint32_t i, j;
 
   for (i = range_start; i < range_start + range_length; i++)
     {
@@ -196,7 +199,7 @@ cache_magic_matchlet_compare_to_data (XdgMimeCache *cache,
 	}
       else
 	{
-	  valid_matchlet = memcmp(cache->buffer + data_offset, data + i, data_length) == 0;
+	  valid_matchlet = memcmp(cache->buffer + data_offset, (unsigned char *)data + i, data_length) == 0;
 	}
 
       if (valid_matchlet)
@@ -215,7 +218,7 @@ cache_magic_matchlet_compare (XdgMimeCache *cache,
   xdg_uint32_t n_children = GET_UINT32 (cache->buffer, offset + 24);
   xdg_uint32_t child_offset = GET_UINT32 (cache->buffer, offset + 28);
 
-  int i;
+  xdg_uint32_t i;
   
   if (cache_magic_matchlet_compare_to_data (cache, offset, data, len))
     {
@@ -245,7 +248,7 @@ cache_magic_compare_to_data (XdgMimeCache *cache,
   xdg_uint32_t n_matchlets = GET_UINT32 (cache->buffer, offset + 8);
   xdg_uint32_t matchlet_offset = GET_UINT32 (cache->buffer, offset + 12);
 
-  int i;
+  xdg_uint32_t i;
 
   for (i = 0; i < n_matchlets; i++)
     {
@@ -265,15 +268,13 @@ static const char *
 cache_magic_lookup_data (XdgMimeCache *cache, 
 			 const void   *data, 
 			 size_t        len, 
-			 int          *prio,
-			 const char   *mime_types[],
-			 int           n_mime_types)
+			 int          *prio)
 {
   xdg_uint32_t list_offset;
   xdg_uint32_t n_entries;
   xdg_uint32_t offset;
 
-  int j, n;
+  xdg_uint32_t j;
 
   *prio = 0;
 
@@ -289,21 +290,6 @@ cache_magic_lookup_data (XdgMimeCache *cache,
 					   data, len, prio);
       if (match)
 	return match;
-      else
-	{
-	  xdg_uint32_t mimetype_offset;
-	  const char *non_match;
-	  
-	  mimetype_offset = GET_UINT32 (cache->buffer, offset + 16 * j + 4);
-	  non_match = cache->buffer + mimetype_offset;
-
-	  for (n = 0; n < n_mime_types; n++)
-	    {
-	      if (mime_types[n] && 
-		  _xdg_mime_mime_type_equal (mime_types[n], non_match))
-		mime_types[n] = NULL;
-	    }
-	}
     }
 
   return NULL;
@@ -412,7 +398,8 @@ cache_glob_lookup_fnmatch (const char *file_name,
   const char *mime_type;
   const char *ptr;
 
-  int i, j, n;
+  int i, n;
+  xdg_uint32_t j;
 
   n = 0;
   for (i = 0; _caches[i]; i++)
@@ -468,7 +455,8 @@ cache_glob_node_lookup_suffix (XdgMimeCache  *cache,
   int weight;
   int case_sensitive;
 
-  int min, max, mid, n, i;
+  xdg_uint32_t i;
+  int min, max, mid, n;
 
   character = file_name[len - 1];
 
@@ -677,8 +665,7 @@ cache_get_mime_type_for_data (const void *data,
       int prio;
       const char *match;
 
-      match = cache_magic_lookup_data (cache, data, len, &prio, 
-				       mime_types, n_mime_types);
+      match = cache_magic_lookup_data (cache, data, len, &prio);
       if (prio > priority)
 	{
 	  priority = prio;
@@ -697,9 +684,11 @@ cache_get_mime_type_for_data (const void *data,
           if (mime_types[n] && _xdg_mime_cache_mime_type_subclass(mime_types[n], mime_type))
               return mime_types[n];
         }
-
-      /* Return magic match */
-      return mime_type;
+      if (n == 0)
+        {
+          /* No globs: return magic match */
+          return mime_type;
+        }
     }
 
   /* Pick first glob result, as fallback */
@@ -787,7 +776,7 @@ _xdg_mime_cache_get_mime_type_for_file (const char  *file_name,
 					    mime_types, n);
 
   if (!mime_type)
-    mime_type = _xdg_binary_or_text_fallback(data, bytes_read);
+    mime_type = _xdg_binary_or_text_fallback (data, bytes_read);
 
   free (data);
   fclose (file);
@@ -816,19 +805,28 @@ _xdg_mime_cache_get_mime_types_from_file_name (const char *file_name,
 
 #if 1
 static int
-is_super_type (const char *mime)
+ends_with (const char *str,
+           const char *suffix)
 {
   int length;
-  const char *type;
+  int suffix_length;
 
-  length = strlen (mime);
-  type = &(mime[length - 2]);
+  length = strlen (str);
+  suffix_length = strlen (suffix);
+  if (length < suffix_length)
+    return 0;
 
-  if (strcmp (type, "/*") == 0)
+  if (strcmp (str + length - suffix_length, suffix) == 0)
     return 1;
 
   return 0;
 }
+
+static int
+is_super_type (const char *mime)
+{
+  return ends_with (mime, "/*");
+}
 #endif
 
 int
@@ -837,7 +835,8 @@ _xdg_mime_cache_mime_type_subclass (const char *mime,
 {
   const char *umime, *ubase;
 
-  int i, j, min, max, med, cmp;
+  xdg_uint32_t j;
+  int i, min, max, med, cmp;
   
   umime = _xdg_mime_cache_unalias_mime_type (mime);
   ubase = _xdg_mime_cache_unalias_mime_type (base);
@@ -860,7 +859,8 @@ _xdg_mime_cache_mime_type_subclass (const char *mime,
       strncmp (umime, "text/", 5) == 0)
     return 1;
 
-  if (strcmp (ubase, "application/octet-stream") == 0)
+  if (strcmp (ubase, "application/octet-stream") == 0 &&
+      strncmp (umime, "inode/", 6) != 0)
     return 1;
  
   for (i = 0; _caches[i]; i++)
@@ -919,7 +919,8 @@ _xdg_mime_cache_unalias_mime_type (const char *mime)
 char **
 _xdg_mime_cache_list_mime_parents (const char *mime)
 {
-  int i, j, k, l, p;
+  int i, l, p;
+  xdg_uint32_t j, k;
   char *all_parents[128]; /* we'll stop at 128 */ 
   char **result;
 
@@ -1031,6 +1032,7 @@ dump_glob_node (XdgMimeCache *cache,
   xdg_uint32_t mime_offset;
   xdg_uint32_t n_children;
   xdg_uint32_t child_offset;
+  xdg_uint32_t k;
   int i;
 
   character = GET_UINT32 (cache->buffer, offset);
@@ -1045,15 +1047,15 @@ dump_glob_node (XdgMimeCache *cache,
   printf ("\n");
   if (child_offset)
   {
-    for (i = 0; i < n_children; i++)
-      dump_glob_node (cache, child_offset + 20 * i, depth + 1);
+    for (k = 0; k < n_children; k++)
+      dump_glob_node (cache, child_offset + 20 * k, depth + 1);
   }
 }
 
 void
 _xdg_mime_cache_glob_dump (void)
 {
-  int i, j;
+  xdg_uint32_t i, j;
   for (i = 0; _caches[i]; i++)
   {
     XdgMimeCache *cache = _caches[i];
@@ -1067,3 +1069,5 @@ _xdg_mime_cache_glob_dump (void)
 	    dump_glob_node (cache, offset + 20 * j, 0);
   }
 }
+
+
diff --git a/chromium/base/third_party/xdg_mime/xdgmimeglob.c b/chromium/base/third_party/xdg_mime/xdgmimeglob.c
@@ -86,7 +86,7 @@ _xdg_glob_list_new (void)
   return new_element;
 }
 
-/* Frees glob_list and all of it's children */
+/* Frees glob_list and all of its children */
 static void
 _xdg_glob_list_free (XdgGlobList *glob_list)
 {
diff --git a/chromium/base/third_party/xdg_mime/xdgmimeint.c b/chromium/base/third_party/xdg_mime/xdgmimeint.c
diff --git a/chromium/base/third_party/xdg_mime/xdgmimemagic.c b/chromium/base/third_party/xdg_mime/xdgmimemagic.c

Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,7 @@ _xdg_glob_list_new (void)`
`86`	`86`	`return new_element;`
`87`	`87`	`}`
`88`	`88`
`89`		`-/* Frees glob_list and all of it's children */`
	`89`	`+/* Frees glob_list and all of its children */`
`90`	`90`	`static void`
`91`	`91`	`_xdg_glob_list_free (XdgGlobList *glob_list)`
`92`	`92`	`{`