dbus-1/fix-upstream-CVE-2022-42011.patch

commit 079bbf16186e87fb0157adf8951f19864bc2ed69
Author: Simon McVittie <smcv@collabora.com>
Date:   Mon Sep 12 13:14:18 2022 +0100

    dbus-marshal-validate: Validate length of arrays of fixed-length items
    
    This fast-path previously did not check that the array was made up
    of an integer number of items. This could lead to assertion failures
    and out-of-bounds accesses during subsequent message processing (which
    assumes that the message has already been validated), particularly after
    the addition of _dbus_header_remove_unknown_fields(), which makes it
    more likely that dbus-daemon will apply non-trivial edits to messages.
    
    Thanks: Evgeny Vereshchagin
    Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
    Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
    Resolves: CVE-2022-42011
    Signed-off-by: Simon McVittie <smcv@collabora.com>

Index: dbus-1.12.2/dbus/dbus-marshal-validate.c
===================================================================
--- dbus-1.12.2.orig/dbus/dbus-marshal-validate.c
+++ dbus-1.12.2/dbus/dbus-marshal-validate.c
@@ -498,13 +498,24 @@ validate_body_helper (DBusTypeReader
                  */ 
                 if (dbus_type_is_fixed (array_elem_type))
                   {
+                    /* Note that fixed-size types all have sizes equal to
+                     * their alignments, so this is really the item size. */
+                    alignment = _dbus_type_get_alignment (array_elem_type);
+                    _dbus_assert (alignment == 1 || alignment == 2 ||
+                                  alignment == 4 || alignment == 8);
+
+                    /* Because the alignment is a power of 2, this is
+                     * equivalent to: (claimed_len % alignment) != 0,
+                     * but avoids slower integer division */
+                    if ((claimed_len & (alignment - 1)) != 0)
+                      return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
+
                     /* bools need to be handled differently, because they can
                      * have an invalid value
                      */
                     if (array_elem_type == DBUS_TYPE_BOOLEAN)
                       {
                         dbus_uint32_t v;
-                        alignment = _dbus_type_get_alignment (array_elem_type);
 
                         while (p < array_end)
                           {