Skip to content

Commit 6f8cc9c

Browse files
[Low] Patch libglvnd for CVE-2023-26819 (microsoft#14182)
1 parent ffb2e80 commit 6f8cc9c

File tree

2 files changed

+103
-1
lines changed

2 files changed

+103
-1
lines changed

SPECS/libglvnd/CVE-2023-26819.patch

Lines changed: 98 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,98 @@
1+
From 02bebb13f150e1585dc799c84f04e2df0669dd45 Mon Sep 17 00:00:00 2001
2+
From: BinduSri-6522866 <[email protected]>
3+
Date: Mon, 30 Jun 2025 03:04:16 +0000
4+
Subject: [PATCH] Address CVE-2023-2681.patch
5+
6+
Upstream Patch reference: https://github.com/DaveGamble/cJSON/commit/a328d65ad490b64da8c87523cbbfe16050ba5bf6
7+
---
8+
src/util/cJSON.c | 37 ++++++++++++++++++++++++++++++++-----
9+
1 file changed, 32 insertions(+), 5 deletions(-)
10+
11+
diff --git a/src/util/cJSON.c b/src/util/cJSON.c
12+
index b0bc3e8..4955fe6 100644
13+
--- a/src/util/cJSON.c
14+
+++ b/src/util/cJSON.c
15+
@@ -277,9 +277,11 @@ static cJSON_bool parse_number(cJSON * const item, parse_buffer * const input_bu
16+
{
17+
double number = 0;
18+
unsigned char *after_end = NULL;
19+
- unsigned char number_c_string[64];
20+
+ unsigned char *number_c_string;
21+
unsigned char decimal_point = get_decimal_point();
22+
size_t i = 0;
23+
+ size_t number_string_length = 0;
24+
+ cJSON_bool has_decimal_point = false;
25+
26+
if ((input_buffer == NULL) || (input_buffer->content == NULL))
27+
{
28+
@@ -289,7 +291,7 @@ static cJSON_bool parse_number(cJSON * const item, parse_buffer * const input_bu
29+
/* copy the number into a temporary buffer and replace '.' with the decimal point
30+
* of the current locale (for strtod)
31+
* This also takes care of '\0' not necessarily being available for marking the end of the input */
32+
- for (i = 0; (i < (sizeof(number_c_string) - 1)) && can_access_at_index(input_buffer, i); i++)
33+
+ for (i = 0; can_access_at_index(input_buffer, i); i++)
34+
{
35+
switch (buffer_at_offset(input_buffer)[i])
36+
{
37+
@@ -307,11 +309,12 @@ static cJSON_bool parse_number(cJSON * const item, parse_buffer * const input_bu
38+
case '-':
39+
case 'e':
40+
case 'E':
41+
- number_c_string[i] = buffer_at_offset(input_buffer)[i];
42+
+ number_string_length++;
43+
break;
44+
45+
case '.':
46+
- number_c_string[i] = decimal_point;
47+
+ number_string_length++;
48+
+ has_decimal_point = true;
49+
break;
50+
51+
default:
52+
@@ -319,11 +322,33 @@ static cJSON_bool parse_number(cJSON * const item, parse_buffer * const input_bu
53+
}
54+
}
55+
loop_end:
56+
- number_c_string[i] = '\0';
57+
+ /* malloc for temporary buffer, add 1 for '\0' */
58+
+ number_c_string = (unsigned char *) input_buffer->hooks.allocate(number_string_length + 1);
59+
+ if (number_c_string == NULL)
60+
+ {
61+
+ return false; /* allocation failure */
62+
+ }
63+
+
64+
+ memcpy(number_c_string, buffer_at_offset(input_buffer), number_string_length);
65+
+ number_c_string[number_string_length] = '\0';
66+
+
67+
+ if (has_decimal_point)
68+
+ {
69+
+ for (i = 0; i < number_string_length; i++)
70+
+ {
71+
+ if (number_c_string[i] == '.')
72+
+ {
73+
+ /* replace '.' with the decimal point of the current locale (for strtod) */
74+
+ number_c_string[i] = decimal_point;
75+
+ }
76+
+ }
77+
+ }
78+
79+
number = strtod((const char*)number_c_string, (char**)&after_end);
80+
if (number_c_string == after_end)
81+
{
82+
+ /* free the temporary buffer */
83+
+ input_buffer->hooks.deallocate(number_c_string);
84+
return false; /* parse_error */
85+
}
86+
87+
@@ -346,6 +371,8 @@ loop_end:
88+
item->type = cJSON_Number;
89+
90+
input_buffer->offset += (size_t)(after_end - number_c_string);
91+
+ /* free the temporary buffer */
92+
+ input_buffer->hooks.deallocate(number_c_string);
93+
return true;
94+
}
95+
96+
--
97+
2.45.3
98+

SPECS/libglvnd/libglvnd.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
Summary: The GL Vendor-Neutral Dispatch library
44
Name: libglvnd
55
Version: 1.7.0
6-
Release: 2%{?dist}
6+
Release: 3%{?dist}
77
License: MIT AND GPLv3+
88
Vendor: Microsoft Corporation
99
Distribution: Azure Linux
@@ -15,6 +15,7 @@ Patch1: 0001-glx-Add-another-fallback-library-name.patch
1515
Patch2: 0002-Adding-a-separate-conditional-to-disable-running-GLX.patch
1616
# this patch address both CVE-2019-11834 and CVE-2019-11835
1717
Patch3: CVE-2019-11834.patch
18+
Patch4: CVE-2023-26819.patch
1819

1920
BuildRequires: gcc
2021
BuildRequires: libtool
@@ -214,6 +215,9 @@ make check V=1 || \
214215
%{_libdir}/pkgconfig/opengl.pc
215216

216217
%changelog
218+
* Mon Jun 30 2025 BinduSri Adabala <[email protected]> - 1.7.0-3
219+
- Patch CVE-2023-26819.
220+
217221
* Tue Jun 04 2024 Nicolas Guibourge <[email protected]> - 1.7.0-2
218222
- Address CVE-2019-11834 and CVE-2019-11835.
219223

0 commit comments

Comments
 (0)